Admin Columns Plugin Vulnerability (CVE-2026-7654)

Security Alert Summary

The Admin Columns plugin for WordPress contains a PHP object injection vulnerability that can lead to remote code execution. The issue stems from use of unserialize() without an allowed_classes restriction when processing post meta, allowing authenticated users with Contributor-level access and above to supply a serialized object that triggers a bundled POP gadget chain and executes code as the web server user.

CVE Details

• CVE ID: CVE-2026-7654
• Affected component: Admin Columns plugin for WordPress
• Affected versions: versions up to and including 7.0.18
• Published: June 5, 2026 at 11:16:44 PM
• Last modified: June 5, 2026 at 11:16:44 PM
• CVSS v3.1 base score: 8.8
• CVSS v3.1 severity: HIGH
• CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Authentication / privileges / user interaction: Authenticated attacker with Contributor-level access or above; Privileges Required: LOW; User Interaction: NONE
• Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
• CWE / weakness: CWE-502 (Deserialization of Untrusted Data)

Technical Details

The vulnerability is caused by deserializing attacker-controlled data without restricting allowed classes. Specifically, the function IdsToCollection::get_ids_from_string() calls unserialize() on post meta values without supplying an allowed_classes restriction. Post meta values processed by this code path can be controlled by authenticated users with sufficient privileges (Contributor and above), enabling PHP object injection.

When a serialized object supplied by an attacker is deserialized, a bundled POP (property oriented programming) gadget chain in the plugin or its bundled libraries can be triggered, resulting in execution of arbitrary code as the web server user. The plugin’s related files referenced in the advisory include formatter classes that process meta values and vendor files from the bundled serializable-closure implementation.

Impact is limited to the capabilities of the web server user: successful exploitation allows arbitrary code execution under that account, which can be used to read, modify, or delete site data and files, or disrupt availability. The vulnerability exists because of missing validation and missing allowed_classes usage when deserializing user-controlled data.

How This Could Impact Your Website

Consider a typical WordPress site with a site owner, internal staff (editors or administrators), and external contributors or contractors who have Contributor-level access. If an attacker with Contributor access can add or edit a post meta value, they may be able to inject a crafted serialized object into that meta field. Deserialization of that object can execute code as the web server user, which could be used to read internal data, modify posts or files, or install backdoors.

Practical consequences include exposure of internal user email addresses or other sensitive data stored in the site database, increased risk of targeted phishing or social engineering against staff, or modification of site content and functionality. Availability can also be affected if an attacker uses code execution to disrupt services or delete files.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially accounts with Contributor-level access and above.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and themes.
• Monitor site activity and logs for unusual behavior, unexpected user meta changes, or new files uploaded to the site.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/IdsToCollection.php#L42
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/classes/Formatter/Meta.php#L34
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/tags/7.0.16/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/IdsToCollection.php#L42
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/classes/Formatter/Meta.php#L34
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Serializers/Native.php#L148
• https://plugins.trac.wordpress.org/browser/codepress-admin-columns/trunk/vendor/laravel/serializable-closure/src/Support/ClosureStream.php#L47
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3553297%40codepress-admin-columns&new=3553297%40codepress-admin-columns&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/051a3967-ef86-49bc-b72c-23e43568fef6?source=cve