The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated SQL injection vulnerability identified as CVE-2026-27747 (CWE-89). This vulnerability arises in the interface_traduction_objets_pipelines.php file, where the plugin processes translation requests. Specifically, the id_parent parameter, supplied by users, is concatenated directly into a SQL WHERE clause within a call to sql_getfetsel() without any input sanitization or use of prepared statements. This improper neutralization of special elements in SQL commands allows an attacker with editor-level privileges to inject crafted SQL expressions. Successful exploitation can manipulate backend database queries, leading to unauthorized data disclosure, modification, or even denial of service depending on the database's configuration and privileges. The vulnerability requires authentication but no additional user interaction, and the attack surface is limited to users with editor rights. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no user interaction, and significant impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a serious risk to affected SPIP installations.

This vulnerability can have severe consequences for organizations using the vulnerable SPIP plugin. An attacker with editor-level access can leverage the SQL injection to exfiltrate sensitive data from the database, including potentially user credentials, content, or configuration data. They may also modify or delete data, undermining data integrity and trustworthiness. In some configurations, the injection could be used to cause denial of service by disrupting database operations. Since SPIP is a content management system used primarily in French-speaking countries and some international organizations, compromised installations could lead to data breaches, defacement, or operational disruptions. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with multiple editors or weak internal access controls. The vulnerability could also be chained with other attacks to escalate privileges or pivot within the network.

Organizations should immediately upgrade the interface_traduction_objets plugin to version 4.3.3 or later where this vulnerability is fixed. If upgrading is not immediately possible, apply strict input validation and sanitization on the id_parent parameter to ensure it contains only expected numeric or safe values before it is used in SQL queries. Employ parameterized queries or prepared statements to prevent SQL injection. Restrict editor-level privileges to trusted users and monitor their activities closely. Implement database access controls to limit the impact of potential injection attacks, such as using least privilege principles for database accounts. Enable logging and alerting on suspicious database queries or unusual editor actions. Conduct regular security audits of SPIP installations and keep all components up to date. Consider deploying web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting this plugin.