How is CVE-2026-6933 exploited?

Network reachability (required): The attacker must reach the WordPress site's HTTP endpoint over the network to send the malicious POST request to the vulnerable handler. Authentication (required): A valid WordPress account is required, though any low-privilege Subscriber-level account is sufficient; no administrator credentials are needed. Victim interaction (not-required): The attacker does not need any action from another user; the exploit is fully self-contained once the attacker submits the crafted request. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-6933?

The attacker writes arbitrary PHP files into the wp-content/plugins/ directory and executes server-side code by accessing those files over HTTP. All data stored on the WordPress installation, including user credentials, session tokens, and customer records, is readable by the attacker. The attacker can modify or delete any file the web server process has write access to, including WordPress core files, themes, and other plugins. The attacker can crash or destabilize the web server process, taking the site offline or making it unresponsive.

Back to search

HIGHCVE-2026-6933Published 2026-06-16Modified 2026-06-16CNA Wordfence

CVE-2026-6933: Premmerce Dev Tools <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via Plugin Creation

Q: What is CVE-2026-6933?

A missing authorization and unsanitized input vulnerability in the Premmerce Dev Tools plugin for WordPress (versions up to and including 2.0) allows any authenticated user with Subscriber-level access to achieve remote code execution. The attack reaches the vulnerable endpoint over the network by sending a crafted POST request with a malicious namespace parameter, which gets written verbatim into a PHP file on the server. Successful exploitation gives the attacker full control over the server, including reading all data, modifying files, and disrupting services. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-6933 patched?

Because no upstream fix version exists for CVE-2026-6933, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. In the interim, customers with auto-remediation enabled receive advisory-level notifications and recommended compensating controls surfaced through the HarborGuard dashboard.

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing authorization and unsanitized input vulnerability in the Premmerce Dev Tools plugin for WordPress (versions up to and including 2.0) allows any authenticated user with Subscriber-level access to achieve remote code execution. The attack reaches the vulnerable endpoint over the network by sending a crafted POST request with a malicious namespace parameter, which gets written verbatim into a PHP file on the server. Successful exploitation gives the attacker full control over the server, including reading all data, modifying files, and disrupting services. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-6933 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Premmerce Dev Tools plugin. Any image containing an affected version of the plugin is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer org is available as part of the standard pipeline.

Available

Patch

Because no upstream fix version exists for CVE-2026-6933, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. In the interim, customers with auto-remediation enabled receive advisory-level notifications and recommended compensating controls surfaced through the HarborGuard dashboard.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site's HTTP endpoint over the network to send the malicious POST request to the vulnerable handler.
AuthenticationRequired
A valid WordPress account is required, though any low-privilege Subscriber-level account is sufficient; no administrator credentials are needed.
Victim interactionNot required
The attacker does not need any action from another user; the exploit is fully self-contained once the attacker submits the crafted request.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

The attacker writes arbitrary PHP files into the wp-content/plugins/ directory and executes server-side code by accessing those files over HTTP.
All data stored on the WordPress installation, including user credentials, session tokens, and customer records, is readable by the attacker.
The attacker can modify or delete any file the web server process has write access to, including WordPress core files, themes, and other plugins.
The attacker can crash or destabilize the web server process, taking the site offline or making it unresponsive.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-6933 is active for any image that bundles Premmerce Dev Tools at version 2.0 or earlier. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will trigger the standard rebuild-and-PR flow automatically the moment a fix version is published; customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While no patch is available, recommended compensating controls include applying a network policy that restricts unauthenticated and low-privilege HTTP access to the wp-admin endpoint hosting the generatePluginHandler function, enforcing egress filtering on the web server container to limit outbound connections, and disabling the Dev Tools plugin entirely in production environments where plugin scaffolding functionality is not operationally required. HarborGuard surfaces these control suggestions in the finding detail view for affected images.

See how HarborGuard automates this

Affected packages

premmerce / Premmerce Dev Tools
≤ 2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified