Does Super Stage WP have any unpatched vulnerabilities?

Yes — Super Stage WP currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Super Stage WP compatible with WordPress 6.9.4?

According to WordPress.org data, Super Stage WP 1.0.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Super Stage WP updated?

Super Stage WP was last updated on Feb 4, 2026. Frequent updates are generally a positive security signal.

What is Super Stage WP's security score?

Super Stage WP has a WP-Safety security score of 75/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Super Stage WP Security & Risk Analysis

wordpress.org/plugins/super-stage-wp

Instant staging of your WordPress Site.

10 active installs v1.0.2 PHP + WP 3.9.14+ Updated Feb 4, 2026

backupclonecloningdb-migrationstaging

B · Generally Safe

CVEs total1

Unpatched1

Last CVEMar 2, 2026

Plugin page Download

Safety Verdict

Is Super Stage WP Safe to Use in 2026?

Mostly Safe

Score 75/100

Super Stage WP is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Mar 2, 2026Updated 3mo ago

Risk Assessment

The 'super-stage-wp' plugin version 1.0.2 exhibits a significantly concerning security posture, largely due to a substantial attack surface that is entirely unprotected. With 25 AJAX handlers and none of them incorporating authentication or capability checks, any unauthenticated user can potentially trigger these actions. This is compounded by the presence of dangerous PHP functions like `unserialize`, `exec`, and `system` within the codebase, increasing the risk of remote code execution if these unprotected entry points are exploited. The taint analysis further highlights this, revealing 7 flows with unsanitized paths, including 3 classified as high severity, indicating potential for sensitive data leakage or manipulation. The plugin's vulnerability history, with one known high severity CVE related to deserialization of untrusted data, directly aligns with the identified code signals and taint analysis, suggesting a recurring pattern of critical security flaws. While the plugin shows some positive indicators, such as a high percentage of SQL queries using prepared statements and a decent proportion of properly escaped output, these strengths are overshadowed by the fundamental lack of security on its extensive entry points and the presence of dangerous functions. The overall risk is high.

Key Concerns

Unprotected AJAX handlers
Unsanitized taint flows (high severity)
Unsanitized taint flows (all)
Dangerous functions found
Missing nonce checks on AJAX
Unpatched CVE (high severity)
Limited output escaping
Low number of capability checks

Vulnerabilities

1 published

Super Stage WP Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2026-1542high · 8.1Deserialization of Untrusted Data

Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection

Mar 2, 2026Unpatched

Version History

Super Stage WP Release Timeline

v1.0.2Current1 CVE

CVE-2026-1542

v1.0.11 CVE

CVE-2026-1542

v1.0.01 CVE

CVE-2026-1542

Code Analysis

Analyzed Apr 16, 2026

Super Stage WP Code Analysis

Dangerous Functions

Raw SQL Queries

203 prepared

Unescaped Output

17 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$settings = unserialize($raw_settings);ExcludeOption/ExcludeOption.php:1300

unserialize$unserialized_details = unserialize($serialized_details);Staging/init.php:112

unserialize$tables = @unserialize($raw_result);Staging/init.php:1049

unserialize$tables = @unserialize($raw_result);Staging/stage-to-live/includes/class-stage-to-live.php:282

unserialize$is_wpss_request = @unserialize(base64_decode($_REQUEST['data']));Staging/stage-to-live/includes/class-stage-to-live.php:796

exec$log = @exec($command, $output, $return);class-database-backup.php:706

system$log = @system($command, $return);class-database-backup.php:716

passthru$log = passthru($command, $return);class-database-backup.php:727

unserialize$final_data[$i]['update_details'] = !empty($meta->update_details) ? unserialize($meta->update_detailclass-processed-files.php:890

unserialize$unserialized_data = @unserialize($data);class-replace-db-links.php:626

unserializeif (is_string($data) && ($unserialized = @unserialize($data)) !== false) {class-replace-db-links.php:680

unserialize$test = @unserialize($data);class-replace-db-links.php:784

unserialize$limit = unserialize($limit);wpss-app-functions.php:370

unserialize$limit = unserialize($limit);wpss-app-functions.php:389

unserialize$active_plugins = unserialize($active_plugins);wpss-app-functions.php:475

unserialize$active_plugins = unserialize($active_plugins);wpss-app-functions.php:505

unserialize$current = unserialize($current);wpss-app-functions.php:525

unserialize$current = unserialize($current);wpss-app-functions.php:551

unserialize$contents = @unserialize($options_obj->get_option('this_cookie'));wpss-common-functions.php:402

unserialize$unserialized = unserialize($raw);wpss-common-functions.php:1106

unserialize$unserialized = unserialize($raw);wpss-common-functions.php:1127

set_time_limit@set_time_limit($seconds);wpss-common-functions.php:1329

unserialize$prev_data = unserialize($raw_prev_data);wpss-config.php:188

unserialize$this_arr = unserialize($this_ser);wpss-config.php:209

ini_set@ini_set('memory_limit', WP_MAX_MEMORY_LIMIT);wpss-config.php:267

unserialize$settings = !empty($settings) ? unserialize($settings) : array();wpss-config.php:1008

SQL Query Safety

87% prepared234 total queries

Output Escaping

55% escaped31 total outputs

Data Flows · Security

7 unsanitized

Data Flow Analysis

7 flows7 with unsanitized paths

start_fresh_staging (Staging/HooksHandler.php:102)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

25 unprotected

Super Stage WP Attack Surface

Entry Points25

Unprotected25

AJAX Handlers 25

authwp_ajax_wpss_get_root_filesExcludeOption/Hooks.php:21

authwp_ajax_wpss_get_init_root_filesExcludeOption/Hooks.php:22

authwp_ajax_wpss_get_init_files_by_keyExcludeOption/Hooks.php:23

authwp_ajax_wpss_get_files_by_keyExcludeOption/Hooks.php:24

authwp_ajax_wpss_get_tablesExcludeOption/Hooks.php:25

authwp_ajax_wpss_get_init_tablesExcludeOption/Hooks.php:26

authwp_ajax_exclude_file_list_wpssExcludeOption/Hooks.php:27

authwp_ajax_include_file_list_wpssExcludeOption/Hooks.php:28

authwp_ajax_exclude_table_list_wpssExcludeOption/Hooks.php:29

authwp_ajax_include_table_list_wpssExcludeOption/Hooks.php:30

authwp_ajax_include_table_structure_only_wpssExcludeOption/Hooks.php:31

authwp_ajax_analyze_inc_exc_lists_wpssExcludeOption/Hooks.php:32

authwp_ajax_exclude_all_suggested_items_wpssExcludeOption/Hooks.php:33

authwp_ajax_get_all_excluded_files_wpssExcludeOption/Hooks.php:34

authwp_ajax_start_fresh_staging_wpssStaging/Hooks.php:18

authwp_ajax_copy_staging_wpssStaging/Hooks.php:19

authwp_ajax_continue_staging_wpssStaging/Hooks.php:20

authwp_ajax_delete_staging_wpssStaging/Hooks.php:21

authwp_ajax_get_staging_details_wpssStaging/Hooks.php:22

authwp_ajax_stop_staging_wpssStaging/Hooks.php:23

authwp_ajax_is_staging_need_request_wpssStaging/Hooks.php:24

authwp_ajax_get_staging_url_wpssStaging/Hooks.php:26

authwp_ajax_save_staging_settings_wpssStaging/Hooks.php:27

authwp_ajax_get_staging_current_status_key_wpssStaging/Hooks.php:28

authwp_ajax_wpss_copy_stage_to_liveStaging/stage-to-live/super-stage-wp-staging.php:160

WordPress Hooks 36

actionadd_additional_sub_menus_wpss_hStaging/Hooks.php:40

actioninit_staging_wpss_hStaging/Hooks.php:41

actionadd_staging_req_hStaging/Hooks.php:42

actionsend_response_node_staging_wpss_hStaging/Hooks.php:43

actionadmin_enqueue_scriptsStaging/Hooks.php:44

actionis_staging_taken_wpssStaging/Hooks.php:45

actionupgrade_our_staging_plugin_wpssStaging/Hooks.php:46

actionadmin_print_footer_scriptsStaging/Hooks.php:47

filteris_any_staging_process_going_onStaging/Hooks.php:51

filterget_internal_staging_db_prefixStaging/Hooks.php:52

filterpage_settings_tab_wpssStaging/Hooks.php:53

filterpage_settings_content_wpssStaging/Hooks.php:54

filterprocess_staging_details_hook_wpssStaging/Hooks.php:55

filterset_options_to_staging_site_wpssStaging/Hooks.php:56

actionwp_enqueue_scriptsStaging/stage-to-live/super-stage-wp-staging.php:149

actionadmin_initStaging/stage-to-live/super-stage-wp-staging.php:150

actioninitStaging/stage-to-live/super-stage-wp-staging.php:151

actionadmin_enqueue_scriptsStaging/stage-to-live/super-stage-wp-staging.php:153

actionadmin_headStaging/stage-to-live/super-stage-wp-staging.php:154

actionwp_headStaging/stage-to-live/super-stage-wp-staging.php:155

actionlogin_headStaging/stage-to-live/super-stage-wp-staging.php:156

actionwp_before_admin_bar_renderStaging/stage-to-live/super-stage-wp-staging.php:158

actioninitStaging/stage-to-live/super-stage-wp-staging.php:159

actionthe_contentStaging/stage-to-live/super-stage-wp-staging.php:175

actionwp_get_attachment_urlStaging/stage-to-live/super-stage-wp-staging.php:176

actionadmin_print_footer_scriptsStaging/stage-to-live/super-stage-wp-staging.php:177

filterwp_calculate_image_srcsetStaging/stage-to-live/super-stage-wp-staging.php:179

filterwp_insert_attachment_dataStaging/stage-to-live/super-stage-wp-staging.php:180

filterthe_contentStaging/stage-to-live/super-stage-wp-staging.php:182

actionnetwork_admin_menuStaging/stage-to-live/super-stage-wp-staging.php:217

actionadmin_menuStaging/stage-to-live/super-stage-wp-staging.php:220

actionadmin_enqueue_scriptsStaging/stage-to-live/super-stage-wp-staging.php:330

actionadmin_enqueue_scriptsviews/wpss-settings.php:11

actionadmin_menuwpss-init.php:12

actionadmin_enqueue_scriptswpss-init.php:13

actionwp_enqueue_scriptswpss-init.php:14

Maintenance & Trust

Super Stage WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 4, 2026

PHP min version

Downloads1K

Community Trust

Rating60/100

Number of ratings2

Active installs10

Alternatives

Super Stage WP Alternatives

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

Migrate, staging, backup WordPress, all in one.

900K 26 CVEs

BlogVault Backup & Staging

blogvault-real-time-backup

Secure incremental backups with staging, migration, and one-click restore for WordPress. Offsite storage and easy recovery.

80K 1 CVE

InstaWP Connect – 1-click WP Staging & Migration

instawp-connect

Create a staging WordPress site from production (live site). Ideal for testing updates, version change or re-write. Sync back only the changes.

40K 16 CVEs

All-in-One WP Migration and Backup

all-in-one-wp-migration

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs

WP STAGING – WordPress Backup, Restore & Migration

wp-staging

Backup, restore, staging, and migration for WordPress. Create full-site backups and test updates safely. 100% Unit Tested.

100K 4 CVEs

Developer Profile

Super Stage WP Developer Profile

revmakx

8 plugins · 224K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

707 days

View full developer profile

Detection Fingerprints

How We Detect Super Stage WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/super-stage-wp/css/wpss-common.css/wp-content/plugins/super-stage-wp/css/wpss-enqueue.css/wp-content/plugins/super-stage-wp/js/wpss-common.js/wp-content/plugins/super-stage-wp/js/wpss-functions.js/wp-content/plugins/super-stage-wp/js/wpss-admin.js

Script Paths

/wp-content/plugins/super-stage-wp/js/wpss-common.js/wp-content/plugins/super-stage-wp/js/wpss-functions.js/wp-content/plugins/super-stage-wp/js/wpss-admin.js

Version Parameters

super-stage-wp/css/wpss-common.css?ver=super-stage-wp/css/wpss-enqueue.css?ver=super-stage-wp/js/wpss-common.js?ver=super-stage-wp/js/wpss-functions.js?ver=super-stage-wp/js/wpss-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpss-admin-noticewpss-admin-body

HTML Comments

RevmakxWPSS StagingSuper Stage WP Staging

Data Attributes

data-wpss-actiondata-wpss-nonce

JS Globals

wpss_datawpss_ajax_object

REST Endpoints

/wp-json/wpss/v1/copy-stage-to-live

FAQ

Super Stage WP Security & Risk Analysis

Is Super Stage WP Safe to Use in 2026?

Mostly Safe

Key Concerns

Super Stage WP Security Vulnerabilities

CVEs by Year

Severity Breakdown

Super Stage WP Release Timeline

Super Stage WP Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Super Stage WP Attack Surface

AJAX Handlers 25

Super Stage WP Maintenance & Trust

Maintenance Signals

Community Trust

Super Stage WP Alternatives

WPvivid — Backup, Migration & Staging

BlogVault Backup & Staging

InstaWP Connect – 1-click WP Staging & Migration

All-in-One WP Migration and Backup

WP STAGING – WordPress Backup, Restore & Migration

Super Stage WP Developer Profile

How We Detect Super Stage WP

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Super Stage WP