Security Advisory - Published 2026-06-12 - WordPress

WordPress plugin check: Admin Columns RCE and WP Captcha PRO account risk

If your site allows subscribers, contributors, customers, authors, or agency staff into wp-admin, check these plugins now. The affected Admin Columns issue starts at Contributor-level access. The WP Captcha PRO issues start at Subscriber-level access. That makes public membership sites, WooCommerce stores, course sites, and client portals the first places to review.

Defensive scope: this page covers plugin inventory, safe patching, administrator review, upload checks, and cleanup notes for sites you own or manage. It does not include payloads, temporary login generation steps, or instructions for testing someone else's WordPress site.

What is affected

CVEPluginAffected versionsPatch targetMain check
CVE-2026-7654Admin ColumnsThrough 7.0.187.0.19 or newerContributor and custom-field activity
CVE-2026-5411WP Captcha PRO / Advanced Google reCAPTCHA slugThrough 5.385.39 or newerUnexpected files in uploads
CVE-2026-5415WP Captcha PRO / Advanced Google reCAPTCHA slugThrough 5.385.39 or newerUnexpected administrator sessions or users

Fast version check

cd /path/to/wordpress
wp plugin list --fields=name,version,status | egrep 'codepress-admin-columns|advanced-google-recaptcha'
wp plugin get codepress-admin-columns --field=version 2>/dev/null
wp plugin get advanced-google-recaptcha --field=version 2>/dev/null

No WP-CLI? Open WordPress admin, go to Plugins, and search for Admin Columns and Advanced Google reCAPTCHA. WP Captcha PRO uses the same advanced-google-recaptcha plugin slug, so check the installed version even when the plugin screen shows the free name.

Patch before deeper review

  1. Back up the database and files before changing production plugins.
  2. Update Admin Columns to 7.0.19 or newer if it is installed.
  3. Update WP Captcha PRO / Advanced Google reCAPTCHA to 5.39 or newer if it is installed.
  4. If either plugin is unused, deactivate and delete it instead of leaving old code on disk.
  5. Clear page cache, object cache, and CDN cache after plugin updates.

Account checks after patching

wp user list --role=administrator --fields=ID,user_login,user_email,roles,user_registered
wp user list --role=contributor --fields=ID,user_login,user_email,roles,user_registered
wp user list --role=subscriber --fields=ID,user_login,user_email,roles,user_registered | tail -40
  • Unknown administrators, changed admin email addresses, or new users near June 5, 2026 need review.
  • Public registration sites should inspect recent Subscriber accounts before trusting the site again.
  • Agency-managed sites should check whether old client, writer, or test accounts still have wp-admin access.

File and plugin integrity checks

find wp-content/uploads -type f \( -iname '*.php' -o -iname '*.phtml' -o -iname '*.phar' \) -mtime -21 -print
find wp-content/mu-plugins wp-content/plugins wp-content/themes -type f -mtime -21 -print | head -80
wp plugin list --status=active --fields=name,version,update

Treat PHP-like files in uploads as suspicious until you can explain who placed them there. For Admin Columns, also review recent posts edited by Contributor or Author accounts and custom fields attached to those posts. Do not paste serialized samples into production to "test" the issue; patch and review logs instead.

Signs this may already be compromise

  • Admin login events that do not match normal staff IPs or work hours.
  • New Administrator users, new application passwords, or changed contact emails.
  • Unexpected files under wp-content/uploads, mu-plugins, active theme folders, or plugin folders.
  • Recent Contributor or Subscriber activity followed by admin actions with no normal handoff.
  • Security plugin logs showing blocked file upload, deserialization, or account-switching attempts.

When this becomes a repair job

Use Ping7 CVE Repair if you find an unknown admin, PHP-like files in uploads, changed plugin/theme files, or user activity you cannot tie to a real person. Ping7 repair work stays defensive: owned systems, client-approved environments, cleanup, patching, and verification only.

References