CVE-2026-7654
Received Received - Intake
PHP Object Injection in Admin Columns WordPress Plugin

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Wordfence

Description
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-06
AI Q&A
2026-06-06
EPSS Evaluated
N/A
NVD
CVE-2026-7654
EUVD
EUVD-2026-34922
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_admin_columns admin_columns to 7.0.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Admin Columns plugin for WordPress has a vulnerability in versions up to and including 7.0.18 where it improperly uses the PHP function `unserialize()` without restricting allowed classes. This occurs in the `IdsToCollection::get_ids_from_string()` function, which processes post meta values that can be controlled by an attacker.

Because of this, an authenticated attacker with Contributor-level access or higher can inject a malicious serialized PHP object into a post's custom meta field. This injection exploits a gadget chain within the plugin to execute arbitrary code remotely on the web server.


How can this vulnerability impact me? :

This vulnerability can lead to remote code execution on the web server running the WordPress site. An attacker with Contributor-level access or higher can execute arbitrary code, potentially taking full control of the server environment under the web server user privileges.

The impact includes complete compromise of the affected website, data theft, defacement, installation of malware, or use of the server for further attacks.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the Admin Columns plugin for WordPress to a version later than 7.0.18 where the issue is fixed.

Additionally, restrict Contributor-level users from adding or modifying post meta fields if possible, as the vulnerability requires authenticated users with Contributor-level access or higher.

Consider applying web application firewall (WAF) rules to detect and block attempts to inject serialized PHP objects in post meta fields.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart