CVE-2026-7654
Deferred Deferred - Pending Action

PHP Object Injection in Admin Columns WordPress Plugin

Vulnerability report for CVE-2026-7654, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: Wordfence

Description

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-07-17
AI Q&A
2026-06-06
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_admin_columns admin_columns to 7.0.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Admin Columns plugin for WordPress has a vulnerability in versions up to and including 7.0.18 where it improperly uses the PHP function `unserialize()` without restricting allowed classes. This occurs in the `IdsToCollection::get_ids_from_string()` function, which processes post meta values that can be controlled by an attacker.

Because of this, an authenticated attacker with Contributor-level access or higher can inject a malicious serialized PHP object into a post's custom meta field. This injection exploits a gadget chain within the plugin to execute arbitrary code remotely on the web server.

Impact Analysis

This vulnerability can lead to remote code execution on the web server running the WordPress site. An attacker with Contributor-level access or higher can execute arbitrary code, potentially taking full control of the server environment under the web server user privileges.

The impact includes complete compromise of the affected website, data theft, defacement, installation of malware, or use of the server for further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should update the Admin Columns plugin for WordPress to a version later than 7.0.18 where the issue is fixed.

Additionally, restrict Contributor-level users from adding or modifying post meta fields if possible, as the vulnerability requires authenticated users with Contributor-level access or higher.

Consider applying web application firewall (WAF) rules to detect and block attempts to inject serialized PHP objects in post meta fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart