Security Advisory - Published 2026-06-12 - WordPress
WordPress plugin check: Admin Columns RCE and WP Captcha PRO account risk
If your site allows subscribers, contributors, customers, authors, or agency staff into wp-admin, check these plugins now. The affected Admin Columns issue starts at Contributor-level access. The WP Captcha PRO issues start at Subscriber-level access. That makes public membership sites, WooCommerce stores, course sites, and client portals the first places to review.
What is affected
| CVE | Plugin | Affected versions | Patch target | Main check |
|---|---|---|---|---|
| CVE-2026-7654 | Admin Columns | Through 7.0.18 | 7.0.19 or newer | Contributor and custom-field activity |
| CVE-2026-5411 | WP Captcha PRO / Advanced Google reCAPTCHA slug | Through 5.38 | 5.39 or newer | Unexpected files in uploads |
| CVE-2026-5415 | WP Captcha PRO / Advanced Google reCAPTCHA slug | Through 5.38 | 5.39 or newer | Unexpected administrator sessions or users |
Fast version check
cd /path/to/wordpress
wp plugin list --fields=name,version,status | egrep 'codepress-admin-columns|advanced-google-recaptcha'
wp plugin get codepress-admin-columns --field=version 2>/dev/null
wp plugin get advanced-google-recaptcha --field=version 2>/dev/null
No WP-CLI? Open WordPress admin, go to Plugins, and search for Admin Columns
and Advanced Google reCAPTCHA. WP Captcha PRO uses the same
advanced-google-recaptcha plugin slug, so check the installed version even
when the plugin screen shows the free name.
Patch before deeper review
- Back up the database and files before changing production plugins.
- Update Admin Columns to 7.0.19 or newer if it is installed.
- Update WP Captcha PRO / Advanced Google reCAPTCHA to 5.39 or newer if it is installed.
- If either plugin is unused, deactivate and delete it instead of leaving old code on disk.
- Clear page cache, object cache, and CDN cache after plugin updates.
Account checks after patching
wp user list --role=administrator --fields=ID,user_login,user_email,roles,user_registered
wp user list --role=contributor --fields=ID,user_login,user_email,roles,user_registered
wp user list --role=subscriber --fields=ID,user_login,user_email,roles,user_registered | tail -40 - Unknown administrators, changed admin email addresses, or new users near June 5, 2026 need review.
- Public registration sites should inspect recent Subscriber accounts before trusting the site again.
- Agency-managed sites should check whether old client, writer, or test accounts still have wp-admin access.
File and plugin integrity checks
find wp-content/uploads -type f \( -iname '*.php' -o -iname '*.phtml' -o -iname '*.phar' \) -mtime -21 -print
find wp-content/mu-plugins wp-content/plugins wp-content/themes -type f -mtime -21 -print | head -80
wp plugin list --status=active --fields=name,version,update Treat PHP-like files in uploads as suspicious until you can explain who placed them there. For Admin Columns, also review recent posts edited by Contributor or Author accounts and custom fields attached to those posts. Do not paste serialized samples into production to "test" the issue; patch and review logs instead.
Signs this may already be compromise
- Admin login events that do not match normal staff IPs or work hours.
- New Administrator users, new application passwords, or changed contact emails.
- Unexpected files under
wp-content/uploads,mu-plugins, active theme folders, or plugin folders. - Recent Contributor or Subscriber activity followed by admin actions with no normal handoff.
- Security plugin logs showing blocked file upload, deserialization, or account-switching attempts.
When this becomes a repair job
Use Ping7 CVE Repair if you find an unknown admin, PHP-like files in uploads, changed plugin/theme files, or user activity you cannot tie to a real person. Ping7 repair work stays defensive: owned systems, client-approved environments, cleanup, patching, and verification only.