CVE-2026-1542
PHP Object Injection in Super Stage WP Plugin via Unauthenticated Unserialization
Publication date: 2026-02-28
Last updated on: 2026-03-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| super_stage_wp | super_stage_wp | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-1542 is a vulnerability in the Super Stage WP WordPress plugin versions up to and including 1.0.1. It occurs because the plugin unserializes user input received via the 'data' parameter in an HTTP REQUEST at a publicly accessible endpoint without requiring authentication."}, {'type': 'paragraph', 'content': "Specifically, the plugin base64-decodes and unserializes a serialized PHP object sent by the user. This insecure deserialization can lead to PHP Object Injection if a suitable gadget chain exists within the blog's codebase."}, {'type': 'paragraph', 'content': "This means an attacker can send specially crafted data to the plugin's endpoint to manipulate the application logic or potentially execute arbitrary PHP code."}] [1]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform PHP Object Injection, which can lead to serious security risks.
- Execution of arbitrary PHP code on the affected WordPress site.
- Manipulation of application logic, potentially leading to unauthorized actions.
- Compromise of the affected WordPress installation, including data breaches or site defacement.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a specially crafted HTTP request to the vulnerable endpoint and observing the response. The endpoint is publicly accessible at /wp-content/plugins/super-stage-wp/Staging/bridge/bridge.php and accepts a base64-encoded serialized PHP object via the data parameter.'}, {'type': 'paragraph', 'content': 'A common detection method is to send a test payload such as a base64-encoded serialized array, for example: YToxOntzOjQ6InRlc3QiO3M6NToiaGVsbG8iO30= which corresponds to a:1:{s:4:"test";s:5:"hello";}.'}, {'type': 'paragraph', 'content': 'You can use the following curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST -d "data=YToxOntzOjQ6InRlc3QiO3M6NToiaGVsbG8iO30=" https://target-site.com/wp-content/plugins/super-stage-wp/Staging/bridge/bridge.php'}, {'type': 'paragraph', 'content': 'If the response contains a serialized error message indicating processing of the input but no matching action, it confirms that the endpoint unserializes the input and is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
There is no known fix available at the time of disclosure for this vulnerability.
Immediate mitigation steps include:
- Disable or remove the Super Stage WP plugin version 1.0.1 or earlier from your WordPress installation.
- Restrict access to the vulnerable endpoint (/wp-content/plugins/super-stage-wp/Staging/bridge/bridge.php) via web server configuration or firewall rules to trusted IPs only.
- Monitor your logs for suspicious requests containing base64-encoded serialized data in the data parameter.
- Keep your WordPress installation and plugins updated and watch for any patches or updates released by the plugin author addressing this issue.