A critical authorization bypass vulnerability in the Premmerce Dev Tools plugin allows unauthenticated attackers to achieve Remote Code Execution (RCE).

The plugin fails to perform proper authorization checks on critical functions, allowing an unauthenticated attacker to execute arbitrary code on the underlying server.

With a CVSS score of 8.8, this is an extremely dangerous vulnerability. An attacker can achieve complete control over the WordPress installation, potentially gaining full server access, installing backdoors, or pivoting into the internal network.

Immediate Action: Update the Premmerce Dev Tools plugin immediately or deactivate and remove the plugin if it is not strictly required for production operations.

Proactive Monitoring: Monitor server logs for unexpected process execution or modifications to WordPress core files.

Compensating Controls: Use a Web Application Firewall (WAF) to block unauthorized requests to the vulnerable plugin endpoints.

Public Exploit Available: false

Remote Code Execution vulnerabilities require immediate attention. Given the ease with which an unauthenticated attacker can exploit this, all instances of the Premmerce Dev Tools plugin must be updated or removed from the environment without delay.