High

A critical remote code execution (RCE) vulnerability has been identified in the Sneeit Framework WordPress plugin, tracked as CVE-2025-6389, with a CVSS score high. The flaw affects plugin versions 8.3 and earlier, impacting approximately 1,700 active installations across WordPress sites and premium themes. The vulnerability was discovered on June 10, 2025, with a patched version 8.4 released on August 5, 2025, and publicly disclosed on November 24, 2025. Threat actors immediately began exploiting the flaw, targeting unpatched sites worldwide. Security analysts have documented over 131,000 blocked exploit attempts since the disclosure, highlighting the urgency of remediation.

The vulnerability stems from insufficient input validation in the sneeitarticlespaginationcallback function, which processes user-supplied parameters without proper restriction. Attackers exploit this flaw by sending specially crafted AJAX POST requests to the wp-admin/admin-ajax.php endpoint, manipulating the callback and args parameters to execute arbitrary PHP code on the server. This allows attackers to achieve complete site compromise, including unauthorized administrative account creation and installation of persistent backdoors, without needing authentication.

Exploitation typically begins with reconnaissance using phpinfo functions to gather server information, followed by attempts to create new admin accounts via wp_insert_user or upload malicious PHP files such as xL.php, Canonical.php, upsf.php, and tijtewmg.php. These files provide attackers with extensive capabilities, including directory scanning, file management, zip extraction, permission modification, and deployment of webshells. Malicious files may also interact with attacker-controlled domains, like racoonlab.top, to download additional payloads and modify .htaccess files, bypassing standard upload restrictions on Apache servers.

Website owners are strongly advised to update immediately to Sneeit Framework version 8.4 or later to mitigate the risk. Indicators of compromise include newly added admin accounts, unexpected PHP files, and modified .htaccess files. Despite firewall protection for Wordfence users, unpatched installations remain vulnerable, emphasizing the importance of timely updates and monitoring for signs of exploitation. Failure to remediate can lead to full site compromise, data theft, and persistent backdoor access, making this vulnerability a critical threat for affected WordPress sites.