CVE-2025-71243
published 2026-02-19CVE-2025-71243: The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.13%
91.3th percentile
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spip | saisies | >= 5.4.0 < 5.11.1 | 5.11.1 |
| spip | saisies_pour_formulaire | >= 5.4.0 < 5.11.1 | 5.11.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to /spip.php with the `_anciennes_valeurs` parameter present, especially containing PHP code injection patterns (e.g., `<?php`, backtick operators, or HTML injection sequences like `'/>`). ↗
- →Identify SPIP instances by checking HTTP response headers for `Composed-By: SPIP` or `X-Spip-Cache:` — these confirm a SPIP target before exploitation. ↗
- →Exploitation requires a publicly accessible page containing a saisies-powered form; attackers may crawl the SPIP sitemap to discover such pages. Monitor for automated crawling of SPIP sitemaps followed by requests to form pages with `_anciennes_valeurs`. ↗
- →The vulnerability is unauthenticated — no session cookie or prior authentication is required. Any unauthenticated GET request to a SPIP form page with `_anciennes_valeurs` containing code-like content should be treated as a high-confidence attack indicator. ↗
- →The Metasploit module path `exploits/multi/http/spip_saisies_rce` can be used to identify Metasploit-based exploitation attempts in endpoint or network telemetry. ↗
- ·Affected versions are strictly 5.4.0 through 5.11.0 of the Saisies plugin; version 5.11.1 and later are patched. Ensure version checks target the plugin specifically, not the SPIP core. ↗
- ·The exploit requires a publicly accessible form page using the Saisies plugin (most commonly via the Formidable plugin). Sites without such a form page exposed publicly are not directly exploitable via the standard attack path. ↗
- ·The EPSS score is 0.83676 (99.29th percentile), indicating very high likelihood of active exploitation in the wild. Treat this as a priority patch. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4374-6xfq-3wjw: The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5
ghsa_unreviewed·2026-02-19
CVE-2025-71243 [CRITICAL] CWE-94 GHSA-4374-6xfq-3wjw: The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
VulnCheck
spip saisies Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-71243 [CRITICAL] spip saisies Improper Control of Generation of Code ('Code Injection')
spip saisies Improper Control of Generation of Code ('Code Injection')
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Affected: spip saisies
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2025-71243
Exploit PoC: https://vulncheck.com/xdb/1d147bea0bf7
No detection rules found.
Metasploit
SPIP Saisies Plugin Unauthenticated RCE
metasploit·CVSS 9.3
CVE-2025-71243 [CRITICAL] SPIP Saisies Plugin Unauthenticated RCE
SPIP Saisies Plugin Unauthenticated RCE
This module exploits an unauthenticated PHP code injection in the SPIP Saisies plugin (CVE-2025-71243). The _anciennes_valeurs form parameter is interpolated unsanitized into a hidden field rendered with interdire_scripts=false, allowing direct PHP code execution via template eval. Exploitation requires a publicly accessible page containing a saisies-powered form, most commonly created with the Formidable plugin. Use the FORM_PAGE option to specify a known form page, or set it to 'crawl' to automatically discover one by following internal links from the SPIP sitemap. Versions 5.4.0 through 5.11.0 of the saisies plugin are affected.
Nuclei
SPIP Saisies - Remote Code Execution
nuclei·CVSS 9.3
CVE-2025-71243 [CRITICAL] SPIP Saisies - Remote Code Execution
SPIP Saisies - Remote Code Execution
SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions.
Template:
id: CVE-2025-71243
info:
name: SPIP Saisies - Remote Code Execution
author: omarkurt
severity: critical
description: |
SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions.
remediation: |
Update to version 5.11.1 or later.
impact:
Attackers can execute arbitrary code on the server, potentially leading to full system compromise.
reference:
- https://vulnerability.circl.lu/vuln/cve-2025-71243
- https
Rapid7
Metasploit Wrap-Up 03/13/2026
blogs_rapid7·2026-03-13·CVSS 9.3
CVE-2025-71243 [CRITICAL] Metasploit Wrap-Up 03/13/2026
## No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone
This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, and automatic WordPress service reporting in the WordPress mixin.
Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5
Rapid7
Metasploit Wrap-Up 03/13/2026
blogs_rapid7·2026-03-13·CVSS 9.3
CVE-2025-71243 [CRITICAL] Metasploit Wrap-Up 03/13/2026
## No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone
This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, and automatic WordPress service reporting in the WordPress mixin.
Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2026-02-19
Published
Exploited in the wild