The flaw lies in the action/cookie.php script of the SPIP CMS. A malicious actor can manipulate the redirect parameter so that the CMS redirects a user to an arbitrary external site. This weakness is classified as CWE‑601 – open redirect. While it does not grant direct code execution, it can be used in phishing or social engineering campaigns and may compromise user trust.

The vulnerability affects the SPIP content‑management system, specifically any installation running a version earlier than 4.4.15. The affected component is the ecrire module, which uses the action cookie handling routine. Vendors need to ensure that their SPIP installations are upgraded beyond the 4.4.15 release, as prior releases are susceptible.

The CVSS score of 3.5 indicates that the risk is considered low from a pure technical standpoint. Because no EPSS score is available, there is no published data on the likelihood of exploitation at the time. The vulnerability is not listed in the CISA KEV catalog, suggesting that no widely‑known exploits have been observed. The primary attack vector would require the attacker to induce a user to click a crafted link or submit a malicious form; from there, the redirect can point the user to a phishing site or malicious content. The impact is limited to the victim’s browser and contextual trust, but it can serve as a step in broader campaign stages.