CVE-2026-1542

CVE-2026-1542: Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection

Vendor Unknown

Product Super Stage WP

Published February 28, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Key dates

Disclosure timeline

February 28, 2026 CVE published

April 2, 2026 Record updated