A critical PHP Object Injection vulnerability in the Admin Columns WordPress plugin allows unauthenticated attackers to achieve Remote Code Execution.

This vulnerability is a PHP Object Injection flaw within the IdsToCollection::get_ids_from_string() function. It occurs due to the use of unserialize() without an allowed_classes restriction, allowing an unauthenticated attacker to process malicious, attacker-controlled post meta values to execute arbitrary code.

The CVSS score of 8.8 reflects the high severity of this flaw, as it allows for full system compromise. Successful exploitation could lead to total loss of site integrity, unauthorized access to sensitive database information, and the potential for the server to be leveraged for further attacks, resulting in significant reputational damage and operational downtime.

Immediate Action: Update the Admin Columns plugin to version 7.0.19 or later immediately to resolve the insecure deserialization flaw.

Proactive Monitoring: Review WordPress logs for unusual post-meta requests or unexpected PHP execution patterns that may indicate attempts to inject malicious objects.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious serialized PHP objects in incoming requests.

Public Exploit Available: false

Given the potential for Remote Code Execution, this vulnerability poses a severe risk to any WordPress environment utilizing the Admin Columns plugin. Administrators should prioritize updating the plugin to version 7.0.19 or later immediately to mitigate the risk of unauthorized code execution.