cbcvebase.
CVE-2025-71243
published 2026-02-19

CVE-2025-71243: The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.13%
91.3th percentile
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.

Affected

2 ranges
VendorProductVersion rangeFixed in
spipsaisies>= 5.4.0 < 5.11.15.11.1
spipsaisies_pour_formulaire>= 5.4.0 < 5.11.15.11.1

Detection & IOCsextracted from sources · hover to see the quote

path/spip.php?page=contact&_anciennes_valeurs=
url/spip.php?page=contact&_anciennes_valeurs={{url_encode(rce_payload)}}
otherx'/><input value='x
  • Detect exploitation attempts by monitoring HTTP GET requests to /spip.php with the `_anciennes_valeurs` parameter present, especially containing PHP code injection patterns (e.g., `<?php`, backtick operators, or HTML injection sequences like `'/>`).
  • Identify SPIP instances by checking HTTP response headers for `Composed-By: SPIP` or `X-Spip-Cache:` — these confirm a SPIP target before exploitation.
  • Exploitation requires a publicly accessible page containing a saisies-powered form; attackers may crawl the SPIP sitemap to discover such pages. Monitor for automated crawling of SPIP sitemaps followed by requests to form pages with `_anciennes_valeurs`.
  • The vulnerability is unauthenticated — no session cookie or prior authentication is required. Any unauthenticated GET request to a SPIP form page with `_anciennes_valeurs` containing code-like content should be treated as a high-confidence attack indicator.
  • The Metasploit module path `exploits/multi/http/spip_saisies_rce` can be used to identify Metasploit-based exploitation attempts in endpoint or network telemetry.
  • ·Affected versions are strictly 5.4.0 through 5.11.0 of the Saisies plugin; version 5.11.1 and later are patched. Ensure version checks target the plugin specifically, not the SPIP core.
  • ·The exploit requires a publicly accessible form page using the Saisies plugin (most commonly via the Formidable plugin). Sites without such a form page exposed publicly are not directly exploitable via the standard attack path.
  • ·The EPSS score is 0.83676 (99.29th percentile), indicating very high likelihood of active exploitation in the wild. Treat this as a priority patch.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.