9.8
CRITICAL
CVE-2024-7954
SPIP Porte_plume Remote Code Execution (RCE)
Description

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

INFO

Published Date :

Aug. 23, 2024, 6:15 p.m.

Last Modified :

Aug. 23, 2024, 6:46 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-7954 has a 27 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-7954 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Spip spip
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-7954.

URL Resource
https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
https://vulncheck.com/advisories/spip-porte-plume

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

HTML

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : May 6, 2025, 2:20 a.m. This repo has been linked 201 different CVEs too.

wy876

Python

Updated: 3 weeks, 5 days ago
3 stars 1 fork 1 watcher
Born at : April 11, 2025, 4:25 a.m. This repo has been linked 209 different CVEs too.

wy876 POC | wy876的poc仓库已删库,该项目为其仓库镜像

Updated: 2 weeks, 4 days ago
298 stars 182 fork 182 watcher
Born at : March 7, 2025, 10:17 a.m. This repo has been linked 201 different CVEs too.

收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了1100多个poc/exp,长期更新。

Updated: 2 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : March 7, 2025, 2:48 a.m. This repo has been linked 142 different CVEs too.

备份的漏洞库,3月开始我们来维护

Updated: 2 weeks, 3 days ago
995 stars 307 fork 307 watcher
Born at : March 4, 2025, 2:54 p.m. This repo has been linked 213 different CVEs too.

2023HW漏洞整理,收集整理漏洞EXp/POC,大部分漏洞来源网络,目前收集整理了300多个poc/exp,长期更新。

Updated: 3 weeks, 6 days ago
1 stars 1 fork 1 watcher
Born at : March 3, 2025, 6:09 a.m. This repo has been linked 177 different CVEs too.

漏洞文库 wiki.wy876.cn

HTML

Updated: 1 month, 1 week ago
58 stars 49 fork 49 watcher
Born at : Feb. 26, 2025, 9:46 a.m. This repo has been linked 201 different CVEs too.

None

Updated: 3 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 5, 2025, 4:13 p.m. This repo has been linked 1 different CVEs too.

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. (CRITICAL)

Updated: 1 month, 3 weeks ago
2 stars 0 fork 0 watcher
Born at : Dec. 28, 2024, 1:05 a.m. This repo has been linked 1 different CVEs too.

SPIP 4.30-alpha2、4.2.13、4.1.16之前的版本使用的porte_plume插件存在任意代码执行漏洞,远程未经身份验证的攻击者可以通过发送精心设计的HTTP 请求以SPIP用户身份执行任意PHP代码。

Updated: 5 months ago
0 stars 0 fork 0 watcher
Born at : Dec. 20, 2024, 3:40 p.m. This repo has been linked 1 different CVEs too.

自动搜集每天的漏洞poc和exp信息。

Updated: 3 months, 1 week ago
8 stars 2 fork 2 watcher
Born at : Dec. 11, 2024, 12:32 a.m. This repo has been linked 91 different CVEs too.

搭建漏洞

HTML

Updated: 6 months ago
0 stars 1 fork 1 watcher
Born at : Nov. 20, 2024, 7:53 a.m. This repo has been linked 32 different CVEs too.

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Python

Updated: 6 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : Nov. 15, 2024, 9:08 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 1 month ago
6 stars 1 fork 1 watcher
Born at : Oct. 5, 2024, 7:24 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 4 weeks, 1 day ago
4 stars 1 fork 1 watcher
Born at : Sept. 23, 2024, 4:11 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-7954 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-7954 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Received by [email protected]

    Aug. 23, 2024

    Action Type Old Value New Value
    Added Description The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
    Added Reference VulnCheck https://vulncheck.com/advisories/spip-porte-plume [No types assigned]
    Added Reference VulnCheck https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html [No types assigned]
    Added Reference VulnCheck https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/ [No types assigned]
    Added CWE VulnCheck CWE-284
    Added CVSS V3.1 VulnCheck AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-7954 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: May. 25, 2025 6:08