Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable wp-admin endpoint (AV:N), single crafted POST (AC:L), requires authenticated Subscriber account (PR:L), no victim interaction (UI:N), and arbitrary PHP execution yields full C/I/A impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.
AnalysisAI
Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.
Technical ContextAI
The vulnerability lives in Premmerce Dev Tools' PluginGenerator subsystem, a developer utility that scaffolds new WordPress plugins from PHP stub templates. According to the linked source at PluginGenerator.php#L125, the createFromStub routine performs naive string replacement of the premmerce_plugin_namespace parameter directly into PHP stub files before writing them to wp-content/plugins/, never validating that the value is a legal PHP namespace identifier. Compounding this, Admin.php#L107 registers generatePluginHandler as an AJAX/admin-post action without a capability check or nonce gating that restricts it to administrators. CWE-434 (Unrestricted Upload of File with Dangerous Type) captures the root cause: a trusted server-side file-write primitive is exposed to low-privileged users who control its filename and content. The CPE cpe:2.3:a:premmerce:premmerce_dev_tools:*:* confirms all distributed versions through 2.0 are in scope.
RemediationAI
No vendor-released patch identified at time of analysis - the references point to vulnerable trunk and tag 2.0 sources with no fixed version published, so the primary recommended action is to deactivate and delete the Premmerce Dev Tools plugin until the vendor ships a release that adds a current_user_can('manage_options') (or equivalent) check in generatePluginHandler and properly validates premmerce_plugin_namespace against a strict identifier regex. As compensating controls while waiting for an upstream fix, restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php for unauthenticated and Subscriber-role users at the WAF or reverse proxy (note: this can break legitimate front-end AJAX features such as add-to-cart or comment submission), disable new user self-registration via Settings → General → Membership (side effect: blocks legitimate signups for WooCommerce/membership sites), and monitor wp-content/plugins/ for newly created directories or PHP files written outside of plugin install workflows. Monitor https://www.wordfence.com/threat-intel/vulnerabilities/id/c43c060b-7a18-49ee-a753-ae1ed2f7e04d for the patched version announcement.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37033
GHSA-gjvr-7x7p-x3vq