Description
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Published: 2026-02-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The Super Stage WP WordPress plugin through version 1.0.1 deserializes data received via HTTP requests without validation, allowing an attacker to inject a serialized PHP object. If an attacker can supply a suitable gadget chain in the input, the deserialization process can lead to arbitrary code execution on the host. This flaw matches CWE‑502 and represents a significant security weakness that can compromise the confidentiality, integrity, and availability of the affected website.

Affected Systems

The vulnerability exists in the Super Stage WP plugin for WordPress, affecting all installations using version 1.0.1 or earlier. The plugin is listed as 'Unknown:Super Stage WP' in vendor terminology. No additional version specificity is provided beyond the upper bound of 1.0.1, so any deployment of that range of versions is potentially impacted.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability carries a moderate severity, yet the EPSS score is below 1% indicating a low probability of exploitation in the wild at present. The exploit is unauthenticated and relies on any HTTP request containing crafted serialized data; therefore any public endpoint that passes user input through the plugin is a potential attack vector. The lack of a KEV listing further suggests that active exploitation is not widespread, but the presence of an object injection vector still warrants prompt attention.

Generated by OpenCVE AI on April 15, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Super Stage WP plugin to the latest version that removes or properly validates all user-supplied serialized data.
  • If an update is unavailable, disable or delete the plugin from the WordPress installation to eliminate the deserialization surface.
  • Implement or enforce strict input validation on incoming HTTP requests to reject serialized objects before they reach the plugin logic.
  • As an additional precaution, review web server logs for repeated attempts to inject serialized PHP objects and block offending IPs if necessary.

Generated by OpenCVE AI on April 15, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Super Stage Wp
Super Stage Wp super Stage Wp
Wordpress
Wordpress wordpress
Vendors & Products Super Stage Wp
Super Stage Wp super Stage Wp
Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Title Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection
References

Subscriptions

Super Stage Wp Super Stage Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:57.449Z

Reserved: 2026-01-28T15:00:06.802Z

Link: CVE-2026-1542

cve-icon Vulnrichment

Updated: 2026-03-02T14:04:33.556Z

cve-icon NVD

Status : Deferred

Published: 2026-02-28T06:16:02.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses