The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query.
Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities/
disclosure@vulncheck.com
https://git.spip.net/spip-contrib-extensions/interface_traduction_objets/-/comm…
disclosure@vulncheck.com
https://plugins.spip.net/interface_traduction_objets
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/spip-interface-traduction-objets-authentic…
disclosure@vulncheck.com