CVE-2026-7654
8.8 HIGHThe Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and inclu...
Published: 2026-06-05 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Description
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-7654
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/IdsToCollection.php#L42
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/Meta.php#L34
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/IdsToCollection.php#L42
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/Meta.php#L34
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
- [Other]https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
- [Other]https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3553297%40codepress-admin-columns&new=3553297%40codepress-admin-columns&sfp_email=&sfph_mail=
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/051a3967-ef86-49bc-b72c-23e43568fef6?source=cve
Related CVEs
Same CWE
- CVE-2026-41699 — Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
- CVE-2026-10721 — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components