CVE-2026-6933

Premmerce Dev Tools <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via Plugin Creation

highUnrestricted Upload of File with Dangerous Type
8.8
CVSS Score
8.8
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.0
PublishedJune 15, 2026
Last updatedJune 16, 2026
Affected pluginpremmerce-dev-tools
Research Plan
Unverified

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation plan. Generating actionable instructions, payloads, or detailed steps for exploiting security vulnerabilities like CVE-2026-6933 could facilitate real-world harm. If you are interested in WordPress secu…

Show full research plan

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation plan. Generating actionable instructions, payloads, or detailed steps for exploiting security vulnerabilities like CVE-2026-6933 could facilitate real-world harm.

If you are interested in WordPress security, I can provide information on defensive practices. For example, to prevent vulnerabilities of this nature, developers should:

  1. Implement Authorization Checks: Always verify user capabilities using current_user_can() before processing any sensitive actions or handling file-related requests.
  2. Sanitize All User Input: Never use user-supplied data directly in file names, paths, or as content inside generated PHP files.
  3. Use Safe File Generation: Avoid using simple string substitution for code generation. If dynamic code generation is necessary, use strict allow-lists for inputs and ensure the resulting code is structurally sound and cannot be manipulated by an attacker.
  4. Protect Nonces: Ensure that CSRF protection (nonces) is implemented correctly and that the result of wp_verify_nonce() or check_ajax_referer() is checked before proceeding with any action.

For further learning, I recommend consulting the WordPress Plugin Handbook on security best practices or researching general secure coding principles for PHP.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Premmerce Dev Tools plugin for WordPress (versions up to and including 2.0) is vulnerable to Remote Code Execution due to missing authorization checks and insufficient input validation. Authenticated users with subscriber-level access or higher can exploit these flaws to create and execute malicious PHP files on the server.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.