cbcvebase.
CVE-2025-6389
published 2025-11-25

CVE-2025-6389: The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
43.40%
98.6th percentile
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.

Affected

1 ranges
VendorProductVersion rangeFixed in
sneeitsneeit_framework<= 8.3

Detection & IOCsextracted from sources · hover to see the quote

commandaction=sneeit_articles_pagination&callback=system
commandaction=sneeit_articles_pagination&callback=wp_insert_user
  • Exploit requests are unauthenticated HTTP POST to /wp-admin/admin-ajax.php with body containing action=sneeit_articles_pagination and a callback parameter set to dangerous functions such as 'system' or 'wp_insert_user'.
  • The callback parameter value should be inspected for shell metacharacters and command injection sequences: semicolons (;), newlines (\n), backticks (`), pipes (|), dollar signs ($), double-quotes ("), and dash-one (-1) patterns, both raw and URL-encoded.
  • Exploitation can result in backdoor injection or creation of new administrative user accounts; monitor WordPress user creation events following suspicious admin-ajax.php POST requests.
  • The vulnerability is actively exploited in the wild; apply threshold-based alerting (e.g., 1 alert per source IP per 180 seconds) to reduce noise while ensuring coverage.
  • ·The Snort/Suricata rule requires TLS decryption to be effective against HTTPS traffic, as indicated by the tls_state metadata.
  • ·The vulnerability affects all versions of the Sneeit Framework plugin up to and including 8.3; ensure version-based blocking or virtual patching covers this full range.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.