Skip to main content

Premmerce Dev Tools CVE-2026-6933

| EUVDEUVD-2026-37033 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-16 Wordfence GHSA-gjvr-7x7p-x3vq
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable wp-admin endpoint (AV:N), single crafted POST (AC:L), requires authenticated Subscriber account (PR:L), no victim interaction (UI:N), and arbitrary PHP execution yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 06:21 vuln.today
CVE Published
Jun 16, 2026 - 04:30 nvd
HIGH 8.8

DescriptionNVD

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.

AnalysisAI

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

Technical ContextAI

The vulnerability lives in Premmerce Dev Tools' PluginGenerator subsystem, a developer utility that scaffolds new WordPress plugins from PHP stub templates. According to the linked source at PluginGenerator.php#L125, the createFromStub routine performs naive string replacement of the premmerce_plugin_namespace parameter directly into PHP stub files before writing them to wp-content/plugins/, never validating that the value is a legal PHP namespace identifier. Compounding this, Admin.php#L107 registers generatePluginHandler as an AJAX/admin-post action without a capability check or nonce gating that restricts it to administrators. CWE-434 (Unrestricted Upload of File with Dangerous Type) captures the root cause: a trusted server-side file-write primitive is exposed to low-privileged users who control its filename and content. The CPE cpe:2.3:a:premmerce:premmerce_dev_tools:*:* confirms all distributed versions through 2.0 are in scope.

RemediationAI

No vendor-released patch identified at time of analysis - the references point to vulnerable trunk and tag 2.0 sources with no fixed version published, so the primary recommended action is to deactivate and delete the Premmerce Dev Tools plugin until the vendor ships a release that adds a current_user_can('manage_options') (or equivalent) check in generatePluginHandler and properly validates premmerce_plugin_namespace against a strict identifier regex. As compensating controls while waiting for an upstream fix, restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php for unauthenticated and Subscriber-role users at the WAF or reverse proxy (note: this can break legitimate front-end AJAX features such as add-to-cart or comment submission), disable new user self-registration via Settings → General → Membership (side effect: blocks legitimate signups for WooCommerce/membership sites), and monitor wp-content/plugins/ for newly created directories or PHP files written outside of plugin install workflows. Monitor https://www.wordfence.com/threat-intel/vulnerabilities/id/c43c060b-7a18-49ee-a753-ae1ed2f7e04d for the patched version announcement.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-6933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy