CVE-2013-2118

SPIP <3.0.9, <2.1.22, <2.0.23 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2118. PoCs published by Gregory Draperi.

AI-analyzed exploit summary This exploit leverages a privilege escalation vulnerability in SPIP CMS to create an administrator account without authentication. It sends crafted requests to the target system, exploiting improper access controls to register a new admin user, with credentials sent via email.

Description

SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.

Exploits (1)

exploitdb WORKING POC
by Gregory Draperi · pythonwebappsphp
https://www.exploit-db.com/exploits/33425

This exploit leverages a privilege escalation vulnerability in SPIP CMS to create an administrator account without authentication. It sends crafted requests to the target system, exploiting improper access controls to register a new admin user, with credentials sent via email.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS < 3.0.9 / 2.1.22 / 2.0.23
No auth needed
Prerequisites: SMTP configuration on the target SPIP instance · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/05/27/2
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2694

Scores

EPSS 0.0898
EPSS Percentile 94.6%

Details

Status published
Products (50)
spip/spip 3.0.0
spip/spip 3.0.1
spip/spip 3.0.2
spip/spip 3.0.3
spip/spip 3.0.4
spip/spip 3.0.5
spip/spip 3.0.6
spip/spip 3.0.7
spip/spip 3.0.8
spip/spip 2.1.1
... and 40 more
Published Jul 09, 2013
Tracked Since Feb 18, 2026