CYBERHAWK / CVE / CVE-2026-7654

CVE-2026-7654

HIGH CVSS 8.8 other

The flaw

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the

What to do

Review advisory and patch per vendor guidance.

▸ Scan my repo for CVE-2026-7654

References

NVD CISA KEV OSV GitHub Advisory MITRE News search

First seen 2026-06-12 · Tracked by PickBits CyberHawk · Weekly CVE digest

← All CVEs RSS Scheduled audits