SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability
in ecrire/public/aiguiller.php, ecrire/public/balises.php,
ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must
visit a malicious website which redirects to the SPIP website. It is also
possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The
vulnerability allows an authenticated attacker to execute malicious code
without the knowledge of the user on the website (CSRF).