The SPIP referer_spam plugin, widely used in SPIP content management systems to manage spam referrer URLs, contains a severe SQL injection vulnerability identified as CVE-2026-27743. This vulnerability affects all versions prior to 1.3.0. Specifically, the referer_spam_ajouter and referer_spam_supprimer action handlers accept a 'url' parameter via GET requests and directly embed this parameter into SQL LIKE clauses without any input sanitization or use of prepared statements. Additionally, these endpoints do not enforce any authorization checks nor do they employ SPIP's securiser_action() function, which is designed to protect action handlers from unauthorized access. As a result, remote attackers can send crafted requests to these endpoints and execute arbitrary SQL queries on the backend database. This can lead to unauthorized data disclosure, data manipulation, or even full system compromise depending on the database privileges. The vulnerability requires no authentication or user interaction, making it trivially exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to exploit SPIP-based websites.

This vulnerability poses a critical risk to organizations using the SPIP CMS with the referer_spam plugin. Successful exploitation can lead to unauthorized access to sensitive data stored in the backend database, including user credentials, content, and configuration data. Attackers can modify or delete data, potentially disrupting website functionality or defacing content. The ability to execute arbitrary SQL commands may also allow attackers to escalate privileges or pivot to other parts of the network. Given the unauthenticated nature of the flaw, any exposed SPIP installation with the vulnerable plugin is at immediate risk. This can result in data breaches, loss of customer trust, regulatory penalties, and operational downtime. Organizations relying on SPIP for public-facing websites or internal portals should consider this a high-priority threat. The lack of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

1. Immediate upgrade: Organizations should upgrade the referer_spam plugin to version 1.3.0 or later, where this vulnerability is fixed. 2. If patching is not immediately possible, restrict access to the vulnerable endpoints (referer_spam_ajouter and referer_spam_supprimer) using web application firewalls (WAFs) or network access controls to block unauthorized requests. 3. Implement input validation and sanitization on all user-supplied parameters, especially those used in SQL queries. 4. Employ parameterized queries or prepared statements to prevent SQL injection. 5. Enforce authorization checks on all action handlers and use SPIP's securiser_action() function to protect against unauthorized access. 6. Monitor web server and database logs for suspicious activity targeting these endpoints. 7. Conduct a thorough security audit of the SPIP installation and related plugins to identify and remediate other potential vulnerabilities. 8. Educate developers and administrators on secure coding practices and the importance of patch management. These steps will reduce the risk of exploitation and limit potential damage.