CVE-2026-7654P2HIGHCVSS 8.8≤ 7.0.182026-06-05
CVE-2026-7654 [HIGH] CWE-502 CVE-2026-7654: The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without prop
nvd