CVE-2025-6389
published 2025-11-25CVE-2025-6389: The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
43.40%
98.6th percentile
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sneeit | sneeit_framework | <= 8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=sneeit_articles_pagination&callback=system
commandaction=sneeit_articles_pagination&callback=wp_insert_user
- →Exploit requests are unauthenticated HTTP POST to /wp-admin/admin-ajax.php with body containing action=sneeit_articles_pagination and a callback parameter set to dangerous functions such as 'system' or 'wp_insert_user'.
- →The callback parameter value should be inspected for shell metacharacters and command injection sequences: semicolons (;), newlines (\n), backticks (`), pipes (|), dollar signs ($), double-quotes ("), and dash-one (-1) patterns, both raw and URL-encoded.
- →Exploitation can result in backdoor injection or creation of new administrative user accounts; monitor WordPress user creation events following suspicious admin-ajax.php POST requests. ↗
- →The vulnerability is actively exploited in the wild; apply threshold-based alerting (e.g., 1 alert per source IP per 180 seconds) to reduce noise while ensuring coverage.
- ·The Snort/Suricata rule requires TLS decryption to be effective against HTTPS traffic, as indicated by the tls_state metadata.
- ·The vulnerability affects all versions of the Sneeit Framework plugin up to and including 8.3; ensure version-based blocking or virtual patching covers this full range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cpm8-v4gw-hgvh: The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8
ghsa_unreviewed·2025-11-25
CVE-2025-6389 [CRITICAL] CWE-94 GHSA-cpm8-v4gw-hgvh: The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-6389 [CRITICAL] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
Affected: Sneeit Sneeit Framework Plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vul
Suricata
ET WEB_SPECIFIC_APPS Wordpress Sneeit Framework Plugin args Parameter Command Injection Attempt (CVE-2025-6389)
suricata·2025-12-09·CVSS 9.8
CVE-2025-6389 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress Sneeit Framework Plugin args Parameter Command Injection Attempt (CVE-2025-6389)
ET WEB_SPECIFIC_APPS Wordpress Sneeit Framework Plugin args Parameter Command Injection Attempt (CVE-2025-6389)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Sneeit Framework Plugin args Parameter Command Injection Attempt (CVE-2025-6389)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"action|3d|sneeit|5f|articles|5f|pagination"; fast_pattern; content:"callback|3d|"; pcre:"/^(?:system|wp_insert_user)/Ri"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|user(?:\x5f|%5[fF])|(?:\x22|%22)|((?:\x2d|%2[dD])(?:\x31|%31)))+/Ri"; threshold:type limit, seconds 180, count 1, track by_src; reference:url,www.wordfence.com/blog/2025/12/a
No public exploits indexed.
No writeups or analysis indexed.
2025-11-25
Published
Exploited in the wild