Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
SPIP referer_spam plugin allows unauthorized access to sensitive data
CVE-2026-27743
Summary
The SPIP referer_spam plugin has a security flaw that allows hackers to access sensitive data without permission. This could lead to unauthorized changes to the plugin's settings or even access to sensitive user information. To fix this, update the plugin to version 1.3.0 or higher.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| spip | referer_spam | <= 1.3.0 | – |
Original title
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read...
Original description
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input validation or parameterization. The endpoints do not enforce authorization checks and do not use SPIP action protections such as securiser_action(), allowing remote attackers to execute arbitrary SQL queries.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-89
SQL Injection
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html Release Notes
- https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/ Exploit Third Party Advisory
- https://git.spip.net/spip-contrib-extensions/referer_spam/-/commit/33682df73cd5f... Patch
- https://plugins.spip.net/referer_spam.html Product
- https://www.vulncheck.com/advisories/spip-referer-spam-unauthenticated-sql-injec... Third Party Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026