CVE-2026-7654
Description
PHP Object Injection in Admin Columns for WordPress up to 7.0.18 allows RCE via serialized data in post meta.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP Object Injection in Admin Columns for WordPress up to 7.0.18 allows RCE via serialized data in post meta.
Vulnerability
The Admin Columns plugin for WordPress versions up to and including 7.0.18 is vulnerable to PHP Object Injection. This vulnerability exists in the IdsToCollection::get_ids_from_string() function, which processes post meta values. The function uses unserialize() without an allowed_classes restriction on attacker-controlled input, enabling the injection of serialized PHP objects [3].
Exploitation
An authenticated attacker with Contributor-level access or higher can exploit this vulnerability. The attacker needs to inject a serialized PHP object into a post's custom meta field. When this meta field is processed by the vulnerable function, it can trigger a bundled POP gadget chain, leading to arbitrary code execution [3].
Impact
Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) as the web server user. This means the attacker can execute arbitrary code on the server, potentially leading to a full compromise of the WordPress installation and the underlying server.
Mitigation
This vulnerability was fixed in Admin Columns version 7.0.19. There are no other workarounds available. Users are strongly advised to update to a patched version as soon as possible. The plugin is not listed on the Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=7.0.18
- Range: <=7.0.18
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/IdsToCollection.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/Meta.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Serializers/Native.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Support/ClosureStream.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/IdsToCollection.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/Meta.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Serializers/Native.phpnvd
- plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Support/ClosureStream.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/051a3967-ef86-49bc-b72c-23e43568fef6nvd
News mentions
0No linked articles in our index yet.