CVE-2026-7654

The Admin Columns plugin for WordPress (up to version 7.0.18) is vulnerable to PHP Object Injection that leads to Remote Code Execution. Root cause: unserialize() used without an allowed_classes restriction in IdsToCollection::get_ids_from_string(), processing attacker-controlled post meta values...

CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize without an allowedclasses restriction in the IdsToCollection::getidsfromstring function, which processes...