CVE-2026-6933 HIGH

CVE-2026-6933: Premmerce Dev Tools <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via Plugin Creation

Vendor Premmerce
Product Premmerce Dev Tools
Weakness CWE-434 · Unrestricted file upload
Published June 16, 2026
Last update June 16, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

Premmerce Dev Tools versions 2.0 and earlier allow authenticated users to upload files without proper validation. An attacker with low-level access can upload malicious files to the server, potentially gaining the ability to run their own code. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Upload malicious files and run their own code on the server.

Potential impact on your site

04Site Impact

Compromised site with potential data theft, defacement, or complete takeover.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

June 16, 2026 CVE published