Unauthenticated Remote Code Execution Vulnerability Affecting CMS Platforms
π Advisory Summary
Vulnerability Type: Remote Code Execution (RCE)
Affected Component: porte_plume plugin (SPIP CMS)
CVSSv3 Score: 9.8 (Critical)
Attack Vector: Network-accessible HTTP interface
π Affected Versions
SPIP < 4.1.16
SPIP 4.2.x < 4.2.13
SPIP 4.30.x < 4.30-alpha2
π¨ Impact
Successful exploitation allows:
β Arbitrary code execution at web server privileges
β Complete compromise of affected CMS instances
β Potential lateral movement to backend systems
π‘οΈ Mitigation
Immediate Patching:
Upgrade to SPIP 4.2.13, 4.1.16, or 4.30-alpha2+
Temporary Measures:
Disable porte_plume plugin if unused
Restrict HTTP POST requests to /porte_plume endpoints
Detection:
grep -r "porte_plume" /var/www/spip/plugins/
π Vendor Response
SPIP has released patches in coordinated disclosure. No known workarounds exist for unpatched systems.
π Technical References
Note: Proof-of-concept (PoC) links are intentionally omitted per responsible disclosure guidelines.
#SPIP #CMSecurity #PatchNow #WebAppSecurity #CVE20247954
Similar
-
CVE-2024-29849 Critical Authentication Bypass in Veeam Backup Enterprise Manager
CVE-2024-29849 Critical Authentication Bypass in Veeam Backup Enterprise Manager 2024-29849 (Linux)
-
CVE-2024-22567: Security Advisory for MCMS 5.3.5
CVE-2024-22567: Security Advisory for MCMS 5.3.5 2024-22567 (Cross-platform)
-
CVE-2024-11616: Buffer Overflow in Netskope Endpoint DLP
CVE-2024-11616: Buffer Overflow in Netskope Endpoint DLP 2024-11616 (Cross-platform)
-
CVE-2024-21182: Broken Access Control in Oracle WebLogic Server
CVE-2024-21182: Broken Access Control in Oracle WebLogic Server 2024-21182: (Cross-platform)
Top Softwares
-
 β Complete Application Development Suite-64-icon.webp)
App Builder (x64) β Complete Application Development Suite
App Builder (x64) β Complete Application Development Suite 2025.7 (64-bit)
-
Opera
Opera 32.1 (64-bit)
-
CVE-2021-24508: WordPress Smash Balloon Plugin XSS Vulnerability
CVE-2021-24508: WordPress Smash Balloon Plugin XSS Vulnerability 2021-24508 (Cross-platform)
-
WinRAR for Windows
WinRAR for Windows 1.9 (64-bit)
-
EE - Videohive - Text Number MOGRT
EE - Videohive - Text Number MOGRT 58123788 (Cross-platform)
Featured
-
Office Exploit Builder Cracked
Office Exploit Builder Cracked Latest (64-bit)
-
π Indian Cricket World Champions Windows Theme Pack
π Indian Cricket World Champions Windows Theme Pack Latest (64-bit)
-
Indian Federal System: Module 2 - Aspects of the Constitution of India (Notes)
Indian Federal System: Module 2 - Aspects of the Constitution of India (Notes) Latest (Notes)
-
njRAT v0.12G
njRAT v0.12G Latest (64-bit)
-
Forum IAS Red Book on Polity π
Forum IAS Red Book on Polity π Latest (Cross-platform)
