[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu63orWhhOr_heuzSeIGBOgerK2h8LqO7V2ziqy_mwfI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-1542","super-stage-wp-unauthenticated-php-object-injection","Super Stage WP \u003C= 1.0.1 - Unauthenticated PHP Object Injection","The Super Stage WP plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","super-stage-wp",null,"\u003C=1.0.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-02 00:00:00","2026-04-14 14:32:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6976c62b-9457-481a-b71f-ccd13d74e222?source=api-prod",[],"researched",false,3,"# Research Plan: Super Stage WP \u003C= 1.0.1 - Unauthenticated PHP Object Injection\n\n## 1. Vulnerability Summary\nThe **Super Stage WP** plugin (versions up to 1.0.1) is vulnerable to **PHP Object Injection** due to the use of `unserialize()` on user-supplied data without adequate sanitization or authentication checks. This typically occurs in an AJAX handler or a public-facing initialization hook where state\u002Fconfiguration data is passed from the client to the server. Since the vulnerability is \"unauthenticated,\" it must reside in a code path accessible to logged-out users, likely via a `wp_ajax_nopriv_*` hook or a direct `init`\u002F`wp_loaded` hook processing `$_POST` or `$_GET` data.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Action (Inferred):** Likely a `wp_ajax_nopriv_` action named something like `sswp_load_stage`, `super_stage_process`, or similar. \n*   **Parameter:** A POST parameter (e.g., `sswp_data`, `stage_state`, `payload`) containing a Base64-encoded or URL-encoded serialized PHP object string.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A nonce may be required if the developer attempted CSRF protection, though these are often bypassable or leaked on public pages.\n\n## 3. Code Flow\n1.  **Entry Point:** The plugin registers an AJAX action for unauthenticated users:\n    ```php\n    add_action( 'wp_ajax_nopriv_some_action', array( $this, 'vulnerable_method' ) );\n    ```\n2.  **Input Acquisition:** The `vulnerable_method` retrieves data from the request:\n    ```php\n    $data = $_POST['data_param'];\n    ```\n3.  **Vulnerable Sink:** The data is passed directly to `unserialize()` or `maybe_unserialize()`:\n    ```php\n    $unserialized_data = unserialize( base64_decode( $data ) );\n    ```\n4.  **Object Injection:** An attacker provides a crafted serialized string representing a PHP object. If a suitable POP (Property Oriented Programming) chain exists in WordPress core or other active plugins, it can lead to file deletion, data theft, or RCE.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable AJAX handler uses `check_ajax_referer` or `wp_verify_nonce`, the nonce is likely exposed to unauthenticated users through `wp_localize_script`.\n\n**Strategy:**\n1.  **Locate Script Localization:** Search the codebase for `wp_localize_script` to find the JavaScript object name and nonce key.\n    *   `grep -r \"wp_localize_script\" .`\n2.  **Identify Triggering Shortcode:** Find the shortcode that enqueues the plugin's frontend scripts.\n    *   `grep -r \"add_shortcode\" .`\n3.  **Setup Test Page:** Create a public post\u002Fpage containing that shortcode.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[target_shortcode]'`\n4.  **Extract Nonce:**\n    *   Use `browser_navigate` to visit the newly created page.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example based on common naming conventions\n        window.sswp_ajax_obj?.nonce || window.sswp_params?.ajax_nonce\n        ```\n\n## 5. Exploitation Strategy\nSince no specific POP chain is identified in the plugin itself, the exploitation will focus on proving the injection by using a standard WordPress core POP chain (e.g., `Requests_Utility_FilteredIterator`) or a class that triggers a visible side effect.\n\n### Step-by-Step Plan:\n1.  **Discovery:** Run `grep -rn \"unserialize\" .` to find the exact sink.\n2.  **Trace:** Find the hook (e.g., `wp_ajax_nopriv_...`) calling the function containing the sink.\n3.  **Payload Generation:**\n    *   Use a tool like `phpggc` or a manual PHP script to generate a payload. \n    *   *Target Chain (Requests):* `Requests_Utility_FilteredIterator` is often available in WP core.\n4.  **Execution:**\n    *   Prepare the HTTP POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n    *   Set `Content-Type: application\u002Fx-www-form-urlencoded`.\n    *   Include `action`, `nonce` (if required), and the malicious `payload`.\n5.  **Request Example:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Host: target.local\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=vulnerable_action&nonce=12345abcde&sswp_data=TzozMzoiUmVxdWVzdHNfVXRpbGl0eV9GaWx0ZXJlZEl0ZXJhdG9yIjoyOntzOjk6IgAqAGlzX2FwcCI7YjoxO3M6MTE6IgAqAGNhbGxiYWNrIjtzOjY6InN5c3RlbSI7fQ==\n    ```\n    *(Note: Base64 payload is illustrative of a serialized object)*.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `super-stage-wp` version 1.0.1 is installed and activated.\n2.  **Page Creation:** (If a shortcode is needed for nonce)\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Test\" --post_content=\"[super-stage-shortcode]\"`\n3.  **Identify Nonce Key:** Note the page ID to fetch the nonce via the browser.\n\n## 7. Expected Results\n*   **Confirmation:** If the injection is successful, the server will attempt to unserialize the object. \n*   **Side Effect:** If using a POP chain for RCE (e.g., `system('whoami')`), the output may appear in the HTTP response or the PHP error log.\n*   **Error-Based:** If no POP chain is used, injecting an object of a non-existent class (e.g., `O:14:\"ExploitSuccess\":0:{}`) will often trigger a PHP notice\u002Fwarning in `wp-content\u002Fdebug.log`: `PHP Incomplete_Class object...`, which confirms the data reached the `unserialize` sink.\n\n## 8. Verification Steps\n1.  **Log Inspection:** Check the WordPress debug log for evidence of the injected object.\n    *   `tail -n 20 \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`\n2.  **Payload Observation:** If the payload triggers a system command (like `touch \u002Ftmp\u002Fpwned`), verify the file existence:\n    *   `ls \u002Ftmp\u002Fpwned`\n3.  **Database Check:** (If the POP chain modifies options)\n    *   `wp option get some_target_option`\n\n## 9. Alternative Approaches\n*   **Cookie-based Injection:** If no AJAX action is found, check if the plugin uses `unserialize` on any custom cookies during `init`.\n*   **maybe_unserialize:** If the plugin uses `maybe_unserialize()`, it might be possible to trigger the vulnerability even if the data doesn't \"look\" like a serialized string at first glance (though `maybe_unserialize` still requires the string to start with `a:`, `O:`, etc.).\n*   **Nested Deserialization:** Check if the plugin fetches data from a remote API and then deserializes it, which could lead to Second-Order Object Injection.","The Super Stage WP plugin for WordPress is vulnerable to Unauthenticated PHP Object Injection in versions up to 1.0.1 due to the use of unserialize() on untrusted user input. Unauthenticated attackers can exploit this by submitting crafted serialized payloads to the plugin's AJAX handlers, potentially leading to remote code execution if a suitable POP chain is available on the site.","1. Identify the unauthenticated AJAX action registered by the plugin (e.g., via wp_ajax_nopriv_ hooks) and the vulnerable POST parameter. 2. Extract the security nonce if required from the site's frontend scripts or localized JavaScript variables (e.g., window.sswp_params). 3. Craft a malicious PHP object payload using a tool like phpggc, targeting a core WordPress POP chain such as Requests_Utility_FilteredIterator. 4. Send an unauthenticated HTTP POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action, nonce, and the Base64-encoded serialized payload.","gemini-3-flash-preview","2026-04-18 21:45:53","2026-04-18 21:46:14",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuper-stage-wp\u002Ftags"]