{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1542", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-28T15:00:06.802Z", "datePublished": "2026-02-28T06:00:08.933Z", "dateUpdated": "2026-04-02T12:39:57.449Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.449Z"}, "title": "Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection", "problemTypes": [{"descriptions": [{"description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Super Stage WP", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}], "references": [{"url": "https://wpscan.com/vulnerability/d6e3041f-62e8-49ba-8806-59a1c07ec43d/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "yi\u011fit ibrahim sa\u011flam", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T14:04:10.005958Z", "id": "CVE-2026-1542", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T14:04:37.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1542", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T14:04:10.005958Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T14:04:33.556Z"}}], "cna": {"title": "Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Super Stage WP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/d6e3041f-62e8-49ba-8806-59a1c07ec43d/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.449Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1542", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:57.449Z", "dateReserved": "2026-01-28T15:00:06.802Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-02-28T06:00:08.933Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}, {"lang": "es", "value": "El plugin de WordPress Super Stage WP hasta la versi\u00f3n 1.0.1 deserializa la entrada del usuario a trav\u00e9s de REQUEST, lo que podr\u00eda permitir a usuarios no autenticados realizar una inyecci\u00f3n de objetos PHP cuando un gadget adecuado est\u00e1 presente en el blog."}], "id": "CVE-2026-1542", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-28T06:16:02.080", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/d6e3041f-62e8-49ba-8806-59a1c07ec43d/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "Super Stage WP", "source": "cna", "vendor": "Unknown"}, "product": "super_stage_wp", "vendor": "super_stage_wp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:07:39.318840+00:00", "value": {"mitigation_remediation": ["Upgrade the Super Stage WP plugin to the latest version that removes or properly validates all user-supplied serialized data.", "If an update is unavailable, disable or delete the plugin from the WordPress installation to eliminate the deserialization surface.", "Implement or enforce strict input validation on incoming HTTP requests to reject serialized objects before they reach the plugin logic.", "As an additional precaution, review web server logs for repeated attempts to inject serialized PHP objects and block offending IPs if necessary."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Super Stage WP plugin for WordPress, affecting all installations using version 1.0.1 or earlier. The plugin is listed as 'Unknown:Super Stage WP' in vendor terminology. No additional version specificity is provided beyond the upper bound of 1.0.1, so any deployment of that range of versions is potentially impacted.", "description_and_impact": "The Super Stage WP WordPress plugin through version 1.0.1 deserializes data received via HTTP requests without validation, allowing an attacker to inject a serialized PHP object. If an attacker can supply a suitable gadget chain in the input, the deserialization process can lead to arbitrary code execution on the host. This flaw matches CWE\u2011502 and represents a significant security weakness that can compromise the confidentiality, integrity, and availability of the affected website.", "risk_and_exploitability": "With a CVSS score of 6.5 the vulnerability carries a moderate severity, yet the EPSS score is below 1% indicating a low probability of exploitation in the wild at present. The exploit is unauthenticated and relies on any HTTP request containing crafted serialized data; therefore any public endpoint that passes user input through the plugin is a potential attack vector. The lack of a KEV listing further suggests that active exploitation is not widespread, but the presence of an object injection vector still warrants prompt attention."}}}}, "created": "2026-03-02T12:04:27.532047+00:00", "updated": "2026-04-15T20:15:13.713621+00:00", "vendors": ["super_stage_wp", "super_stage_wp$PRODUCT$super_stage_wp", "wordpress", "wordpress$PRODUCT$wordpress"]}