Description
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
Published: 2026-06-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection caused by an unserialize call that lacks an allowed_classes filter. This flaw enables an attacker who can insert a serialized PHP object into a post's custom meta field to trigger a bundled POSt POP gadget chain, resulting in arbitrary code execution with the web server's privileges. The impact is the ability to run malicious code on the server from within a WordPress site.

Affected Systems

Any WordPress site running the Admin Columns plugin version 7.0.18 or earlier is affected. The plugin is distributed under the codepress:Admin Columns package and modifies how custom field metadata is processed, so any installation of the plugin before the patch is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not provided, and the flaw is not listed in the CISA KEV catalog. Because the attack requires an authenticated user with Contributor-level access or higher, the attack vector is limited to authorized users who can edit post meta. However, once an authenticated attacker injects the malicious payload, remote code execution is achieved automatically, posing significant risk to the site and its data.

Generated by OpenCVE AI on June 6, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Admin Columns plugin to the latest version that includes the fix for PHP Object Injection.
  • If an upgrade cannot be performed immediately, restrict Contributor and higher roles from editing post metadata or disable custom fields that can be edited by these roles.
  • Modify the plugin or server configuration to disallow unserialize calls without an explicit allowed_classes parameter, ensuring serialized data is not processed from untrusted sources.

Generated by OpenCVE AI on June 6, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Codepress
Codepress admin Columns
Wordpress
Wordpress wordpress
Vendors & Products Codepress
Codepress admin Columns
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
Title Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Codepress Admin Columns
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:46:31.154Z

Reserved: 2026-05-01T18:30:46.366Z

Link: CVE-2026-7654

cve-icon Vulnrichment

Updated: 2026-06-06T11:46:26.498Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T23:16:44.807

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-7654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:37Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data