What the vulnerability does
01Description
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user.
Explanation of Vulnerability in Simple Terms
02Summary
Admin Columns versions up to 7.0.18 contain a deserialization vulnerability that allows authenticated users to execute arbitrary code on the site. An attacker with low-level access can craft malicious serialized data that, when processed by the plugin, runs their own PHP code with full site privileges. This affects confidentiality, integrity, and availability of the entire WordPress installation.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full WordPress privileges.
Potential impact on your site
04Site Impact
Any authenticated user can compromise the entire site, steal data, modify content, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account (subscriber or above) on the WordPress site.
Key dates
06Disclosure timeline
June 5, 2026
CVE published
June 6, 2026
Record updated