Full Report
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active
Analysis Summary
# Vulnerability: Sneeit Framework Unauthenticated Remote Code Execution (RCE)
## CVE Details
- CVE ID: CVE-2025-6389
- CVSS Score: 9.8 (Critical)
- CWE: Not specified in context.
## Affected Systems
- Products: Sneeit Framework WordPress Plugin
- Versions: All versions prior to and including 8.3.
- Configurations: WordPress installations utilizing the vulnerable plugin versions. (Active installations: > 1,700)
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw allowing unauthenticated attackers to execute arbitrary PHP code on the server. This is due to the `sneeit_articles_pagination_callback()` function accepting user input and passing it directly to `call_user_func()`. This logic flaw permits attackers to invoke arbitrary PHP functions (e.g., `wp_insert_user()`) to compromise the site, install backdoors, or create new administrative user accounts.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Unauthenticated access allows exploitation via crafted HTTP requests)
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential access to sensitive files and data)
- Integrity: High (Ability to modify files, inject code, and create administrative users)
- Availability: High (Potential for full site compromise or shutdown)
## Remediation
### Patches
- Upgrade the Sneeit Framework plugin to version **8.4** or later. (Patch released August 5, 2025).
### Workarounds
- As the vulnerability is actively exploited, direct mitigation is highly recommended if patching cannot occur immediately.
- Block malicious requests targeting the `"/wp-admin/admin-ajax.php"` endpoint. (Wordfence observed attacks targeting this endpoint).
- Implement Web Application Firewall (WAF) rules to inspect and drop requests containing patterns indicative of arbitrary function calls in the pagination callback.
## Detection
- Indicators of Compromise (IOCs) observed in the wild include:
- HTTP requests targeting the `/wp-admin/admin-ajax.php` endpoint designed to create admin users (e.g., "arudikadis") or upload files.
- Presence of suspicious PHP files such as: "tijtewmg.php", "xL.php", "Canonical.php", ".a.php", and "simple.php".
- Presence of an externally downloaded `.htaccess` file originating from `racoonlab[.]top`.
- Detection Methods: Monitor incoming requests to `/wp-admin/admin-ajax.php` for suspicious payload structures related to function calls or user creation commands. Scan file systems for the IOC filenames listed above.
## References
- Vendor Advisory/Security Disclosure: Wordfence analysis (Mentioned in context).
- Exploitation Activity Report: The Hacker News article (December 8, 2025).