Critical WordPress RCE Vulnerability: Wide-Scale Attacks Launched Through Sneeit Framework Plugin

The WordPress ecosystem is facing another serious security threat. In recent days, cybercriminals have begun actively exploiting a critical Remote Code Execution (RCE) vulnerability in the Sneeit Framework plugin. The flaw, identified as CVE-2025-6389 with a CVSS score of 9.8, allows attackers to fully compromise websites, create unauthorized administrator accounts, and upload malicious files.

Origin and Timeline of the Vulnerability

Sneeit Framework is widely used across WordPress websites and premium themes. Versions 8.3 and earlier were found to contain insufficient input validation, specifically in the sneeitarticlespaginationcallback function. Because this function processes user input without proper restrictions and passes it through call_user_func, attackers can execute arbitrary PHP code on the server.

The timeline of the vulnerability:

  • June 10, 2025 — Discovered by researchers
  • August 5, 2025 — Patch released (version 8.4)
  • November 24, 2025 — Public disclosure
  • Same day — Large-scale exploitation begins

More than 1,700 active installations were affected.

How the Exploit Works

The primary attack vector involves sending specially crafted AJAX requests to wp-admin/admin-ajax.php. Through manipulated callback and args parameters, attackers inject payloads that the server executes.

Typical attack stages include:

  1. Reconnaissance — Using phpinfo to gather server configuration data
  2. Admin account creation — Leveraging wp_insert_user to add a new administrator
  3. Backdoor deployment — Uploading malicious PHP scripts to maintain persistent access
  4. .htaccess modification — Bypassing upload directory restrictions

Frequently observed malicious files include:
xL.php, Canonical.php, upsf.php, tijtewmg.php

The upsf.php script downloads additional web shells from the attacker-controlled domain racoonlab.top.

Active Exploitation Confirmed by Wordfence

According to Wordfence analysts, more than 131,000 exploitation attempts were blocked within days of public disclosure.

Top attacking IP addresses:

  • 185.125.50.59 — 74,000+ attempts
  • 182.8.226.51 — 24,200+ attempts
  • 89.187.175.80 — 4,600+ attempts

Premium Wordfence users received firewall protection on June 23, free users on July 23.

Impact and Consequences

If a website is running a vulnerable version of the plugin, attackers may:

  • Fully compromise the site
  • Create unauthorized administrator accounts
  • Install PHP backdoors
  • Steal data
  • Hijack user sessions
  • Modify server configuration

Additional indicators of compromise include the presence of finderdata.txt and goodfinderdata.txt files.

Root Cause of the Vulnerability

The core issue lies in processing unvalidated user input through call_user_func, enabling arbitrary code execution at the server level.

Solution: Update Immediately

Website owners should take the following actions without delay:

  1. Update Sneeit Framework to version 8.4 or newer.
  2. Review administrator accounts and delete suspicious entries.
  3. Scan /wp-content/uploads/ for unknown PHP files.
  4. Check .htaccess for unauthorized changes.
  5. Perform a full malware scan (Wordfence, ImunifyAV, etc.).
  6. Ensure backups and monitoring are properly configured.

The CVE-2025-6389 vulnerability in the Sneeit Framework plugin is one of the most severe WordPress threats in recent months. It enables attackers to fully control websites and establish deep system access. Unpatched installations remain under active attack and continue to face significant risk.

Timely plugin updates and regular security monitoring remain the most effective defenses for WordPress websites.