High severity8.8NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-6933

Description

CVE-2026-6933: Authenticated RCE in Premmerce Dev Tools ≤2.0 via missing authorization in plugin generation, allowing PHP code injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-6933: Authenticated RCE in Premmerce Dev Tools ≤2.0 via missing authorization in plugin generation, allowing PHP code injection.

Vulnerability

The Premmerce Dev Tools plugin for WordPress, versions up to and including 2.0, contains a remote code execution vulnerability. The generatePluginHandler function, hooked via admin_post_create_plugin, lacks any authorization or nonce check before processing user-supplied POST data [3][4]. The subsequent createFromStub method performs unsanitized string substitution of the premmerce_plugin_namespace parameter directly into PHP stub files [1][2]. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, which gets written into generated plugin files in wp-content/plugins/. Accessing that generated file executes the injected code.

Exploitation

The attacker needs only a WordPress account with Subscriber-level access or higher. The generatePluginHandler action is accessible via admin-post.php without checking the manage_options capability [3][4]. An authenticated attacker can craft a POST request to /wp-admin/admin-post.php?action=create_plugin containing the premmerce_plugin_namespace parameter with payload such as Vendor\;system($_GET['cmd']);?> and other required parameters. The plugin generator then creates a new plugin directory and writes PHP files containing the injected code. By making an HTTP request to the generated plugin’s endpoint (e.g., /wp-content/plugins//index.php), the attacker triggers PHP execution of their payload.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This results in complete compromise of the WordPress site: the attacker can read, modify, or delete any files, access the database, escalate privileges, and persist access via the created plugin. The code runs in the context of the web server, with the same permissions as the WordPress installation.

Mitigation

As of the publication date, no fixed version has been released. The only mitigation is to immediately delete or deactivate the Premmerce Dev Tools plugin (versions 2.0 and earlier) as it is a development utility that should not be used on production sites. Site administrators should review all users with Subscriber roles and ensure no untrusted users have accounts if the plugin must remain temporarily active. No workaround short of removing the plugin is available.

References

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Premmerce Dev Toolsinferred2 versions
<=2.0+ 1 more
- (no CPE)range: <=2.0
- (no CPE)range: <=2.0
Package: https://wordpress.org/plugins/premmerce-dev-tools

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check in generatePluginHandler combined with unsanitized string substitution of user input into PHP stub files."

Attack vector

An authenticated attacker with at minimum Subscriber-level access sends a POST request to `wp-admin/admin-post.php` with the action parameter set to `create_plugin`. The request includes the `premmerce_plugin_namespace` parameter containing a semicolon followed by arbitrary PHP code. Because `generatePluginHandler` lacks any capability check [ref_id=1][ref_id=2], the unsanitized namespace value is substituted directly into a PHP stub file, which is written to the `wp-content/plugins/` directory. The attacker then accesses the generated plugin file via HTTP, causing the injected PHP code to execute on the server.

Affected code

The vulnerability resides in the `generatePluginHandler` method of `src/Admin/Admin.php` [ref_id=1][ref_id=2]. This method is hooked to `admin_post_create_plugin` and calls `PluginGenerator->generate($_POST)` without any authorization or capability check. The downstream `createFromStub` function performs unsanitized string substitution of the `premmerce_plugin_namespace` POST parameter directly into PHP stub files, which are then written to `wp-content/plugins/`.

What the fix does

No patch is shown in the supplied bundle. The advisory indicates the fix should add an authorization check (e.g., `current_user_can('manage_options')`) inside `generatePluginHandler` before processing POST data, and sanitize or validate the `premmerce_plugin_namespace` parameter to prevent PHP code injection. Without these controls, any authenticated user can trigger arbitrary file generation and achieve remote code execution.

Preconditions

authAttacker must have a WordPress account with at least Subscriber-level access.
configThe Premmerce Dev Tools plugin must be installed and activated (versions up to and including 2.0).
networkAttacker must be able to send POST requests to wp-admin/admin-post.php.
inputAttacker must supply a crafted premmerce_plugin_namespace parameter containing a semicolon and arbitrary PHP code.

Reproduction

The bundle does not include a public exploit or PoC reference with reproduction steps.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000