Primary

Context

Super Stage WP WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

A PHP Object Injection vulnerability has been identified in the Super Stage WP WordPress plugin, affecting versions through 1.0.1. The vulnerability arises because the plugin unserializes user input from the REQUEST data, which could enable unauthenticated users to exploit the blog if a suitable gadget for object injection is available.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which could lead to arbitrary code execution or other impacts depending on the injected object and the application's context.

Reproduction

To reproduce this vulnerability, send a request to 'wp-content/plugins/super-stage-wp/Staging/bridge/bridge.php' with a 'data' parameter containing a Base64-encoded serialized payload. The endpoint is publicly accessible and does not require authentication. The plugin will unserialize the data, creating a PHP Object Injection vulnerability.

Added: Feb 28, 2026, 6:17 AM

Updated: Feb 28, 2026, 6:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.2

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.2

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Super Stage WP WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating