Description
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.
Published: 2026-02-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

The referer_spam plugin for SPIP before version 1.3.0 contains an unauthenticated SQL injection flaw. Attackers can pass a crafted URL parameter via a GET request to the referer_spam_ajouter or referer_spam_supprimer actions. The plugin directly inserts the parameter into SQL LIKE clauses without validation or parameterization, and the endpoints lack any authorization checks. This enables arbitrary SQL queries to be executed against the backend database, potentially allowing data theft, corruption, or further compromise of the host if the database privileges are high.

Affected Systems

All SPIP installations that use the referer_spam plugin with a version earlier than 1.3.0 are affected. The vulnerability resides within the plugin itself, but the underlying SPIP application (any version that supports the plugin) must also be present. No specific operating system or database versions are enumerated, so any system running the plugin is potentially compromised.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score of below 1% suggests that, while the flaw is severe, the likelihood of exploitation at the moment is low. Publicly listed references do not include the vulnerability in CISA’s KEV catalog. Exploitation requires only that an unauthenticated HTTP GET request reach the vulnerable endpoints, which can be achieved by a remote attacker with network access to the web server. If the web application is exposed to the internet, the risk remains high until corrected.

Generated by OpenCVE AI on April 17, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the referer_spam plugin to version 1.3.0 or later, the official fix for this issue
  • If an upgrade is not immediately possible, disable the referer_spam plugin or block access to the referer_spam_ajouter and referer_spam_supprimer endpoints
  • Apply the latest SPIP core release (4.4.10 or newer) to ensure no other related weaknesses exist

Generated by OpenCVE AI on April 17, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip spip

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:referer_spam*:*:*:*:*:*:*:*:* cpe:2.3:a:spip:referer_spam:*:*:*:*:*:*:*:*
Vendors & Products Spip referer Spam*

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Spip referer Spam*
CPEs cpe:2.3:a:spip:referer_spam*:*:*:*:*:*:*:*:*
Vendors & Products Spip referer Spam*

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip referer Spam
Vendors & Products Spip
Spip referer Spam

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.
Title SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Spip Referer Spam Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:24.787Z

Reserved: 2026-02-23T21:38:48.841Z

Link: CVE-2026-27743

cve-icon Vulnrichment

Updated: 2026-02-25T15:34:19.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:04.783

Modified: 2026-03-03T19:11:51.893

Link: CVE-2026-27743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses