CVE-2026-1542 PUBLISHED

Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection

Assigner: WPScan
Reserved: 28.01.2026 Published: 28.02.2026 Updated: 28.02.2026

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Product Status

Vendor	Unknown
Product	Super Stage WP
Versions	Default: affected affected from 0 to 1.0.1 (incl.)

Credits

yiğit ibrahim sağlam finder
WPScan coordinator

References

https://wpscan.com/vulnerability/d6e3041f-62e8-49ba-8806-59a1c07ec43d/

Problem Types

CWE-502 Deserialization of Untrusted Data CWE