PatchSiren cyber security CVE debrief
CVE-2026-6933 premmerce CVE debrief
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution (RCE) due to a missing authorization check in the 'generatePluginHandler' function and unsanitized string substitution in the 'createFromStub' function. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary PHP code, leading to RCE.
- Vendor
- premmerce
- Product
- Premmerce Dev Tools
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of the Premmerce Dev Tools plugin for WordPress, particularly those with Subscriber-level access and above, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability exists in the Premmerce Dev Tools plugin for WordPress, specifically in versions up to and including 2.0. The 'generatePluginHandler' function lacks authorization checks, and the 'createFromStub' function performs unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files. This allows attackers to inject a semicolon followed by arbitrary PHP code into the namespace parameter, resulting in RCE when the generated plugin file is accessed via HTTP.
Defensive priority
HIGH
Recommended defensive actions
- Update the Premmerce Dev Tools plugin to a version that includes a fix for this vulnerability.
- Restrict access to the plugin's functionality to prevent unauthorized users from exploiting the vulnerability.
- Monitor plugin usage and logs for suspicious activity.
Evidence notes
The vulnerability was reported by [email protected] and is documented in the Wordfence threat intelligence database [ref-10].
Official resources
CVE-2026-6933 was published on 2026-06-16T06:16:58.540Z and has not been modified since.