CVE-2026-6933
Received Received - Intake
Remote Code Execution in Premmerce Dev Tools WordPress Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-6933
EUVD
EUVD-2026-37033
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
premmerce dev_tools to 2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Premmerce Dev Tools plugin for WordPress has a vulnerability that allows Remote Code Execution (RCE). This happens because the 'generatePluginHandler' function does not check if the user is authorized before processing POST data. Additionally, the 'createFromStub' function inserts the 'premmerce_plugin_namespace' parameter directly into PHP files without sanitizing it. An attacker with Subscriber-level access or higher can inject malicious PHP code through this parameter, which gets saved as a plugin file and executed when accessed via HTTP.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to execute arbitrary PHP code on your server remotely. This means they can potentially take full control of your WordPress site, modify or delete data, install backdoors, or use your server for malicious activities. Since the attacker only needs Subscriber-level access, it lowers the barrier for exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart