CVE-2026-7654 - Vulnerability Details

Description

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.

Published: 2026-06-05

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection caused by an unserialize call that lacks an allowed_classes filter. This flaw enables an attacker who can insert a serialized PHP object into a post's custom meta field to trigger a bundled POSt POP gadget chain, resulting in arbitrary code execution with the web server's privileges. The impact is the ability to run malicious code on the server from within a WordPress site.

Affected Systems

Any WordPress site running the Admin Columns plugin version 7.0.18 or earlier is affected. The plugin is distributed under the codepress:Admin Columns package and modifies how custom field metadata is processed, so any installation of the plugin before the patch is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not provided, and the flaw is not listed in the CISA KEV catalog. Because the attack requires an authenticated user with Contributor-level access or higher, the attack vector is limited to authorized users who can edit post meta. However, once an authenticated attacker injects the malicious payload, remote code execution is achieved automatically, posing significant risk to the site and its data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

codepress

Admin Columns

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.0.18

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Admin Columns plugin to the latest version that includes the fix for PHP Object Injection.
If an upgrade cannot be performed immediately, restrict Contributor and higher roles from editing post metadata or disable custom fields that can be edited by these roles.
Modify the plugin or server configuration to disallow unserialize calls without an explicit allowed_classes parameter, ensuring serialized data is not processed from untrusted sources.

Generated by OpenCVE AI on June 6, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/IdsToCollection.php#L42
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/Meta.php#L34
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/IdsToCollection.php#L42
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/Meta.php#L34
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3553297%40codepress-admin-columns&new=3553297%40codepress-admin-columns&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/051a3967-ef86-49bc-b72c-23e43568fef6?source=cve

History

Fri, 05 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
Title		Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
Weaknesses		CWE-502
References		https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/IdsToCollection.php#L42 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/Meta.php#L34 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/IdsToCollection.php#L42 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/Meta.php#L34 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148 https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3553297%40codepress-admin-columns&new=3553297%40codepress-admin-columns&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/051a3967-ef86-49bc-b72c-23e43568fef6?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-05T22:28:06.814Z

Updated: 2026-06-05T22:28:06.814Z

Reserved: 2026-05-01T18:30:46.366Z

Link: CVE-2026-7654

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-05T23:16:44.807

Modified: 2026-06-05T23:16:44.807

Link: CVE-2026-7654

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T00:30:08Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object