Description
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Premmerce Dev Tools plugin for WordPress implements a function that creates new plugins based on user input. In versions up to and including 2.0, this function checks no user privileges before processing the request. It substitutes the supplied “premmerce_plugin_namespace” value directly into PHP stubs without sanitisation. An attacker who can authenticate as a Subscriber or higher can inject a PHP instruction after a semicolon, causing the generated file to contain and execute that code when served. This flaw is an example of CWE-434, allowing untrusted code execution on the server. If exploited, the attacker can gain full control over the hosting environment, read, modify, or delete data, and pivot to other systems.

Affected Systems

WordPress installations running Premmerce Dev Tools version 2.0 or earlier. Any site that has the plugin enabled and contains a user account with Subscriber-level access or greater can exploit the vulnerability.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is less than 1%, signalling that observed exploitation is extremely uncommon at the time of this analysis. The vulnerability is not listed in CISA KEV, but remote code execution remains available to authenticated users. The likely attack path involves submitting a crafted POST request to the plugin generation endpoint with a malicious namespace value; the attacker must already have WordPress login credentials to reach the endpoint.

Generated by OpenCVE AI on June 16, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Premmerce Dev Tools to the latest released version that addresses the authorization check; if no newer version is available, uninstall the plugin entirely.
  • If an upgrade is not feasible, disable or restrict the plugin generation endpoint so that Subscriber+ users cannot trigger plugin creation, adding role‑based access control.
  • As a containment measure, set the wp-content/plugins directory to read‑only for the web server or employ a security plugin to monitor for unauthorized file creation and block any PHP files generated by the plugin.

Generated by OpenCVE AI on June 16, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.
Title Premmerce Dev Tools <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via Plugin Creation
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T14:52:26.336Z

Reserved: 2026-04-23T18:26:15.473Z

Link: CVE-2026-6933

cve-icon Vulnrichment

Updated: 2026-06-16T14:52:22.448Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T06:16:58.540

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-6933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type