The hook
Old CMS installations are still common in side projects, landing pages, and inherited customer sites. SPIP 3.1.2 and earlier have a template-tag handling vulnerability associated with remote code execution risk for authenticated attackers.
Kako funkcionira
The check extracts explicit SPIP version strings from `Composed-By` headers, generator meta tags, and early HTML markers. It does not upload files or attempt template execution.
The blast radius
A vulnerable SPIP installation can turn compromised editor/admin credentials into server-side code execution. Public version banners also make the target easy to triage for attackers scanning older CMS estates.
// what fixvibe checks
What FixVibe checks
FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Upgrade SPIP beyond 3.1.2, verify the deployed version directly, and remove stale public generator/version banners. Keep upload and template-management permissions restricted to trusted administrators.