CVE-2024-7954

SPIP porte_plume Plugin Arbitrary PHP Execution

Basic Information

CVE State
PUBLISHED
Reserved Date
August 19, 2024
Published Date
August 23, 2024
Last Updated
August 23, 2024
Vendor
SPIP
Product
SPIP
Description
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Tags
php nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
93.77% (Percentile: 99.85%) as of 2025-07-18

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-06-26 00:00:00 UTC) Source

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-27 12:01:06 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

spip_porte_plume_previsu_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2024-7954

0dayan0n/RCE_CVE-2024-7954-

Type: github • Created: 2024-12-28 01:05:05 UTC • Stars: 2

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. (CRITICAL)

MuhammadWaseem29/RCE-CVE-2024-7954

Type: github • Created: 2024-10-05 07:24:57 UTC • Stars: 6

TheCyberguy-17/RCE_CVE-2024-7954

Type: github • Created: 2024-09-23 16:11:20 UTC • Stars: 4

gh-ost00/CVE-2024-7954-RCE

Type: github • Created: 2024-09-01 10:59:45 UTC • Stars: 7

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12

bigb0x/CVE-2024-7954

Type: github • Created: 2024-08-28 14:54:56 UTC • Stars: 5

This exploit will attempt to execute system commands on SPIP targets.

Chocapikk/CVE-2024-7954

Type: github • Created: 2024-08-10 20:15:41 UTC • Stars: 10

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Detected by Metasploit

  • Added to KEVIntel