A critical remote code execution vulnerability in the Sneeit Framework WordPress plugin has come under active exploitation by threat actors, posing an immediate risk to thousands of websites worldwide.
The vulnerability, tracked as CVE-2025-6389 with a CVSS score of 9.8, exists in versions 8.3 and earlier of the plugin, which maintains approximately 1,700 active installations across numerous WordPress sites and premium themes.
Security researchers discovered the vulnerability on June 10th, 2025, and reported it to the vendor.
The Sneeit Framework development team released a patched version on August 5th, 2025, and the vulnerability was publicly disclosed on November 24th, 2025.
Threat actors began their exploitation attempts on the same day of public disclosure, launching widespread attacks against unpatched installations.
Wordfence security analysts identified and documented the exploitation campaign, revealing that the Wordfence Firewall has already blocked over 131,000 exploit attempts since the public disclosure.
The firewall protection was provided to premium users on June 23rd, 2025, with free users receiving protection on July 23rd, 2025.
Despite this protection, the vulnerability continues to affect websites using unpatched versions of the plugin.
The vulnerability stems from insufficient input validation in the sneeitarticlespaginationcallback function, which processes user-supplied parameters without proper restriction.
Attackers exploit this flaw by sending specially crafted AJAX requests to the wp-admin/admin-ajax.php endpoint, leveraging the callback and args parameters to execute arbitrary PHP code on the server.
Exploitation Mechanics and Attack Vectors
Threat actors employ multiple tactics to weaponize this vulnerability. Initial exploitation typically involves sending POST requests containing malicious code through the AJAX handler.
The attacks follow a consistent pattern, beginning with reconnaissance using phpinfo functions to gather server information.
Subsequent requests attempt to create unauthorized administrator accounts or upload malicious PHP files to establish persistent backdoor access.
One prevalent attack vector uses the wp_insert_user function to create new administrative accounts, granting attackers complete site control.
| Attribute | Details |
|---|---|
| Vulnerability Name | Unauthenticated Remote Code Execution in sneeitarticlespaginationcallback |
| CVE ID | CVE-2025-6389 |
| CVSS Score | 9.8 (Critical) |
| CVSS Severity | Critical |
| Affected Software | Sneeit Framework |
| Affected Versions | 8.3 and earlier |
| Patched Version | 8.4 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Authentication Required | No (Unauthenticated) |
| Discovery Date | June 10, 2025 |
| Vendor Patch Released | August 5, 2025 |
| Public Disclosure Date | November 24, 2025 |
| Active Exploitation Started | November 24, 2025 |
| Estimated Installations | 1,700+ active installations |
| Affected Deployments | WordPress sites and premium themes |
| Vulnerability Researcher | Tonn |
| Bounty Amount | $537.00 |
| Exploit Attempts Blocked | 131,000+ (as of report date) |
| Root Cause | Insufficient input validation in sneeitarticlespaginationcallback function; user input passed through call_user_func without restriction |
| Attack Vector | AJAX requests to wp-admin/admin-ajax.php endpoint |
| Impact | Complete site compromise, unauthorized admin account creation, backdoor installation, webshell deployment |
| Associated Malware | xL.php, Canonical.php, upsf.php, tijtewmg.php |
| Associated Domain | racoonlab.top |
| Wordfence Protection | Premium/Care/Response users protected since June 23, 2025; Free users protected since July 23, 2025 |
| Indicators of Compromise | Newly added admin accounts, malicious PHP files, finderdata.txt, goodfinderdata.txt, modified .htaccess files |
| Top Attacking IPs | 185.125.50.59 (74,000+ blocked requests), 182.8.226.51 (24,200+ blocked requests), 89.187.175.80 (4,600+ blocked requests) |
| Recommendation | Update to version 8.4 or later immediately |
Alternative methods involve uploading malicious PHP files with names like xL.php, Canonical.php, and tijtewmg.php.
These files often contain sophisticated functionality, including directory scanning, file management, zip extraction capabilities, and permission modification tools.
The associated malware samples include upsf.php, which downloads additional shells from the attacker-controlled domain racoonlab.top.
These shells facilitate the creation of malicious .htaccess files that bypass upload directory restrictions on Apache servers, enabling further malware deployment.
Website owners must immediately update to Sneeit Framework version 8.4 or later to remediate this critical vulnerability and prevent complete site compromise through backdoor installation and data theft.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
