PatchSiren cyber security CVE debrief
CVE-2026-7654 codepress CVE debrief
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
- Vendor
- codepress
- Product
- Admin Columns
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of the Admin Columns plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function. This allows attackers to inject a serialized PHP object into a post's custom meta field, which can lead to Remote Code Execution.
Defensive priority
HIGH
Recommended defensive actions
- Update the Admin Columns plugin to a version that is not vulnerable (e.g., version 7.0.19 or later).
- Restrict access to the plugin's functionality to only trusted users.
- Monitor for suspicious activity on the WordPress site.
Evidence notes
The CVE-2026-7654 vulnerability was reported by [email protected] and has a CVSS score of 8.8.
Official resources
CVE-2026-7654 was published on 2026-06-05T23:16:44.807Z and modified on 2026-06-08T14:57:14.757Z.