Cyber Resilience

CVE-2024-7954

CriticalPublic PoCRCE

Published: 23 August 2024

Published
23 August 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9299 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7954 is a critical-severity Eval Injection (CWE-95) vulnerability in Spip (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16 contains an arbitrary code execution vulnerability tracked as CVE-2024-7954. The flaw, assigned CVSS 9.8 and mapped to CWE-95 and CWE-1286, resides in the plugin's handling of crafted input that is later evaluated as PHP.

A remote unauthenticated attacker can exploit the issue by sending a single malicious HTTP request, resulting in arbitrary PHP execution under the privileges of the SPIP web server user and full compromise of confidentiality, integrity, and availability.

Official SPIP advisories direct administrators to upgrade immediately to 4.3.0-alpha2, 4.2.13, or 4.1.16; third-party analyses at thinkloveshare.com and vulncheck.com confirm the pre-authentication vector and the necessity of the patch. The associated EPSS score remains elevated near 0.93 with no documented low-to-high trajectory after disclosure.

EU & UK References

Vulnerability details

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Spip
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References