KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2024-7954

PUBLISHED

SPIP porte_plume Plugin Arbitrary PHP Execution

PoC available Remote Low complexity No user interaction
Vendor
SPIP
Product
SPIP
Published
Aug 23, 2024
EPSS

Description

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Proof of concept available

Recorded 2024-12-28 01:05:05 UTC · Source

SSVC decision points

Exploitation
none
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) Jun 26, 2025

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7954.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

spip_porte_plume_previsu_rce

metasploit · Created Unknown

Metasploit module for CVE-2024-7954

0dayan0n/RCE_CVE-2024-7954-

github · Created 2024-12-28 01:05:05 UTC · 2 stars

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. (CRITICAL)

MuhammadWaseem29/RCE-CVE-2024-7954

github · Created 2024-10-05 07:24:57 UTC · 6 stars

TheCyberguy-17/RCE_CVE-2024-7954

github · Created 2024-09-23 16:11:20 UTC · 4 stars

gh-ost00/CVE-2024-7954-RCE

github · Created 2024-09-01 10:59:45 UTC · 7 stars

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12

bigb0x/CVE-2024-7954

github · Created 2024-08-28 14:54:56 UTC · 5 stars

This exploit will attempt to execute system commands on SPIP targets.

Chocapikk/CVE-2024-7954

github · Created 2024-08-10 20:15:41 UTC · 10 stars

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit

  • Added to KEVIntel