How is CVE-2026-7654 exploited?

Network reachability (required): The attacker must reach the WordPress application over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required. Authentication (required): A valid WordPress account at Contributor level or above is required; any low-privilege registered user account is sufficient to trigger the injection. Victim interaction (not-required): No action from another user or administrator is needed; the attacker triggers deserialization entirely through their own requests. Attack complexity (info): Attack complexity is rated Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-7654?

The attacker executes arbitrary OS commands as the web server user, gaining an interactive foothold on the container or host running WordPress. Full read access to the WordPress database credentials, environment variables, and any secrets mounted into the container is obtained. The attacker can write, modify, or delete files within the web root, including themes, plugins, and uploaded content. Service availability can be disrupted by overwriting critical application files or consuming host resources.

Back to search

HIGHCVE-2026-7654Published 2026-06-05Modified 2026-06-05CNA Wordfence

CVE-2026-7654: Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

Q: What is CVE-2026-7654?

PHP Object Injection in the Admin Columns plugin for WordPress (versions up to and including 7.0.18) allows an authenticated attacker with Contributor-level access to write a malicious serialized PHP object into a post's custom meta field. The vulnerability is reachable over the network without elevated privileges, and a bundled POP gadget chain transforms the deserialization into full remote code execution as the web server user. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-7654 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection in the Admin Columns plugin for WordPress (versions up to and including 7.0.18) allows an authenticated attacker with Contributor-level access to write a malicious serialized PHP object into a post's custom meta field. The vulnerability is reachable over the network without elevated privileges, and a bundled POP gadget chain transforms the deserialization into full remote code execution as the web server user. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built WordPress images that bundle the Admin Columns plugin alongside core.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (v3.1) and is capable of weighting it further against per-environment compliance policies, routing the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress application over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
AuthenticationRequired
A valid WordPress account at Contributor level or above is required; any low-privilege registered user account is sufficient to trigger the injection.
Victim interactionNot required
No action from another user or administrator is needed; the attacker triggers deserialization entirely through their own requests.
Attack complexityDetail
Attack complexity is rated Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

The attacker executes arbitrary OS commands as the web server user, gaining an interactive foothold on the container or host running WordPress.
Full read access to the WordPress database credentials, environment variables, and any secrets mounted into the container is obtained.
The attacker can write, modify, or delete files within the web root, including themes, plugins, and uploaded content.
Service availability can be disrupted by overwriting critical application files or consuming host resources.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for Admin Columns at this time, HarborGuard continuously re-checks the Wordfence and NVD advisory feeds on every ingest cycle and will surface a patched-image rebuild the moment version 7.0.19 or a later remediated release is published. In the interim, compensating controls are worth considering: network-policy rules that restrict who can reach the WordPress application to trusted IP ranges reduce exposure for contributor accounts that may be broadly issued; egress filtering on the container can limit what an attacker can do after achieving code execution; and disabling the Admin Columns plugin entirely via feature-flag or image build configuration removes the vulnerable code path until a patch lands. For customers with auto-remediation enabled, HarborGuard will automatically rebuild affected images, run the regression suite, and open a PR against impacted workloads within minutes of a fix version appearing upstream, with a median time from CVE fix publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

codepress / Admin Columns
≤ 7.0.18

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified