Critical WordPress Flaw (CVE-2025-6389, CVSS 9.8) Under Active Exploitation Allows Unauthenticated RCE
Ddos 
A newly disclosed critical vulnerability in the Sneeit Framework — a widely used WordPress plugin powering premium themes such as FlatNews — is being actively targeted in the wild.
Assigned CVE-2025-6389 and scoring 9.8 (Critical) on the CVSS scale, this flaw allows unauthenticated Remote Code Execution (RCE) on any site running Sneeit Framework versions 8.3 or earlier.
FlatNews, one of the most popular editorial and magazine-style WordPress themes with 1,041 sales, depends on the Sneeit Framework for core functionality, making all unpatched deployments vulnerable.
The vulnerability resides in the plugin’s sneeit_articles_pagination_callback() function, which accepts user-controlled input and passes it directly into PHP’s call_user_func() — a dangerous pattern that can allow attackers to execute arbitrary code.
According to the disclosure, “This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.”
In other words, no login is required — an attacker only needs to hit the vulnerable endpoint to:
- Upload a webshell
- Create a rogue admin account
- Modify theme files
- Take over the entire site
- Pivot deeper into the hosting environment
For WordPress site owners, this is the most severe type of vulnerability possible.
Security firm Wordfence confirmed that threat actors are already scanning and exploiting the flaw across the internet.
In the last day alone, “Wordfence blocked 491 attacks targeting this vulnerability in the past 24 hours.”
This rapid uptick suggests automated botnets and opportunistic actors are actively incorporating CVE-2025-6389 into their exploit kits.
The developers have released Sneeit Framework version 8.4, which patches the vulnerable code path.
Donate