Skip to main content

Admin Columns CVE-2026-7654

| EUVD-2026-34922 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-05 Wordfence GHSA-h6x4-229g-5f43
PHP Deserialization WordPress RCE
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 23:15 vuln.today
CVE Published
Jun 05, 2026 - 22:28 nvd
HIGH 8.8

DescriptionCVE.org

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize() without an allowed_classes restriction in the IdsToCollection::get_ids_from_string() function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.

AnalysisAI

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor account on target site
Delivery
Craft serialized SerializableClosure payload
Exploit
Inject payload into post custom meta field
Install
Admin Columns formatter calls unserialize() on meta value
C2
POP gadget chain registers ClosureStream wrapper
Execute
PHP code executes as web server user
Impact
Persist webshell or pivot into WordPress database
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account with Contributor role or higher (PR:L) on a site running Admin Columns 7.0.18 or earlier with the bundled laravel/serializable-closure library present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects network-reachable exploitation requiring only low-level authentication (Contributor role) with no user interaction and full CIA impact - consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege Contributor account on a target WordPress site running Admin Columns, then creates or edits a draft post and writes a crafted PHP serialized SerializableClosure object into a custom meta field consumed by the IdsToCollection formatter. When the meta value is rendered through Admin Columns (for example by viewing the post list in wp-admin), unserialize() instantiates the closure gadget, the ClosureStream wrapper is registered, and arbitrary PHP code runs as the web server user. …
Remediation Upstream fix available (changeset 3553297 in the codepress-admin-columns repository); a released patched version beyond 7.0.18 is not independently confirmed from the provided data, so administrators should upgrade to the latest Admin Columns release published after the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3553297%40codepress-admin-columns&new=3553297%40codepress-admin-columns and verify the IdsToCollection::get_ids_from_string() function now passes allowed_classes=>false to unserialize(). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Admin Columns plugin (versions ≤7.0.18) and audit active Contributor accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-7654 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy