CVE-2026-7654: Admin Columns WordPress Plugin RCE via PHP Object Injection
The Admin Columns plugin for WordPress contains a critical flaw that allows authenticated users—including those with basic contributor permissions—to execute arbitrary code on a website. The vulnerability stems from insecure handling of serialized PHP data in post metadata. An attacker with contributor-level access or higher can craft a malicious serialized object and inject it into a post's custom field, triggering code execution with the privileges of the web server. This affects all versions up to and including 7.0.18.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
10 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7654 exploits unsafe deserialization in the Admin Columns plugin's `IdsToCollection::get_ids_from_string()` function. The function processes post meta values using `unserialize()` without restricting the `allowed_classes` parameter, making it vulnerable to PHP Object Injection (CWE-502). Attackers leverage a POP (Property-Oriented Programming) gadget chain bundled within the plugin to convert the injected serialized object into remote code execution. The vulnerability requires authentication at contributor level or above, but does not require user interaction.
Business impact
Compromise of a WordPress site running the vulnerable Admin Columns plugin could lead to full server takeover. An attacker gaining RCE as the web server user can steal sensitive data, modify content, install backdoors, pivot to internal systems, or use the compromised host for lateral movement. The requirement for contributor-level access means the attack surface includes all users with basic content creation privileges—a common permission tier in multi-author WordPress environments. Data breach, service disruption, and remediation costs are significant organizational risks.
Affected systems
WordPress sites with the Admin Columns plugin installed and active in versions 7.0.18 and earlier are affected. The vulnerability is accessible to any authenticated user with contributor-level permissions or higher (contributor, author, editor, administrator). Sites without the plugin are not affected; those running the plugin on versions prior to 7.0.18 require immediate attention.
Exploitability
Exploitation requires valid WordPress authentication credentials with at least contributor-level access. An attacker does not need administrator privileges, greatly expanding the threat actor pool to include compromised or malicious content creators. No user interaction is needed; the attack is fully automated once the malicious serialized object is injected into a post meta field. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network accessibility, low attack complexity, low privilege requirements, and high impact across confidentiality, integrity, and availability.
Remediation
Update the Admin Columns plugin to a patched version that addresses the unsafe deserialization. Verify against the official Admin Columns plugin advisories and changelog for the recommended minimum version. Organizations should restrict contributor-level access to trusted personnel only and audit existing contributors for suspicious activity. For immediate mitigation pending patches, consider deactivating the plugin if not critical to operations, or implement Web Application Firewall (WAF) rules to detect and block serialized PHP payloads in POST requests targeting post meta endpoints.
Patch guidance
Check the official Admin Columns plugin repository and vendor advisories for patched versions released after June 17, 2026. Update immediately via the WordPress admin dashboard or by downloading the latest version directly from the vendor. After patching, verify the update in the Plugins menu and confirm the version number reflects the security fix. Test functionality on a staging environment before deploying to production.
Detection guidance
Monitor for POST requests to wp-admin/admin-ajax.php or post update endpoints containing serialized PHP objects (identifiable by 'O:' prefix followed by class name and property counts). Log and alert on any post meta modifications originating from contributor-level accounts, especially those containing base64-encoded or suspicious serialized data. Review post meta tables in the WordPress database for anomalous entries. Implement file integrity monitoring on the wp-content directory to detect unauthorized plugin or theme modifications resulting from exploitation. Check web server logs for unexpected process spawning or privilege escalation attempts coinciding with post meta updates.
Why prioritize this
This vulnerability merits urgent patching due to its high severity (CVSS 8.8), unauthenticated RCE potential, and low barrier to exploitation. The inclusion of a functional POP gadget chain and the prevalence of the Admin Columns plugin across WordPress installations make this a high-impact threat. The requirement for only contributor-level access—a common permission in enterprise WordPress deployments—increases likelihood of exploitation by insider threats or compromised low-privilege accounts.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) Network vector—the attack is remotely exploitable via HTTP; (2) Low attack complexity—no special conditions or race conditions required; (3) Low privileges required—contributor-level access is easily obtainable and common; (4) No user interaction needed—the attack is fully automated; (5) Complete impact—successful exploitation grants confidentiality, integrity, and availability compromise as the web server user. The absence of CISA KEV listing does not diminish the severity; patching should not be delayed pending KEV inclusion.
Frequently asked questions
Do we need to be an administrator to exploit this vulnerability?
No. The vulnerability is accessible to any authenticated WordPress user with contributor-level permissions or above. Contributor is the lowest permission tier that can publish content, making this exploitable by a much broader user base than admin-only flaws. If your site has multiple authors or guest contributors, you should audit those accounts.
Can this vulnerability be exploited without user interaction?
Yes. Once a malicious serialized object is injected into a post's custom meta field, the vulnerable code executes automatically without requiring any additional action. An attacker simply needs to modify post metadata via the WordPress API or admin interface, and the plugin will deserialize the malicious payload during normal operation.
Is there a temporary workaround if we cannot patch immediately?
Deactivating the Admin Columns plugin is the most reliable short-term mitigation if it is not business-critical. If you must keep it active, restrict contributor-level access to fully trusted personnel, implement WAF rules to block serialized PHP payloads in POST data, and monitor post meta modifications closely. However, patching is strongly preferred.
What should we look for in our logs if we suspect exploitation?
Search for POST requests to wp-admin/admin-ajax.php or post update endpoints containing 'O:' (the PHP serialization prefix for objects). Check for unexpected post meta entries in the database, especially those with base64 encoding or suspicious class names. Review web server logs for unusual child process spawning or reverse shell connections originating around the same time as suspicious post meta updates.
This analysis is based on publicly disclosed vulnerability information available as of the publication date. Security professionals should verify all patch versions, affected product lists, and vendor advisories against the official sources before taking action. No proof-of-concept exploitation code or detailed attack steps are provided herein. Always test patches in a non-production environment before deployment. The absence of CISA KEV listing does not indicate lower severity or priority. For the most current information, consult the official Admin Columns plugin repository, vendor security advisories, and your organization's vulnerability management team. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation
- CVE-2026-37579HIGHSMSGate Remote Code Execution via CMPP7 Deserialization
- CVE-2026-38950HIGHESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization
- CVE-2026-39550HIGHAperitif Theme Remote Code Execution via Object Injection
- CVE-2026-39551HIGHTöbel Deserialization Remote Code Execution Vulnerability