Critical WordPress Flaw (CVE-2025-6389, CVSS 9.8) Under Active Exploitation Allows Unauthenticated RCE
Ddos 
A newly disclosed critical vulnerability in the Sneeit Framework β a widely used WordPress plugin powering premium themes such as FlatNews β is being actively targeted in the wild.
Assigned CVE-2025-6389 and scoring 9.8 (Critical) on the CVSS scale, this flaw allows unauthenticated Remote Code Execution (RCE) on any site running Sneeit Framework versions 8.3 or earlier.
FlatNews, one of the most popular editorial and magazine-style WordPress themes with 1,041 sales, depends on the Sneeit Framework for core functionality, making all unpatched deployments vulnerable.
The vulnerability resides in the pluginβs sneeit_articles_pagination_callback() function, which accepts user-controlled input and passes it directly into PHPβs call_user_func() β a dangerous pattern that can allow attackers to execute arbitrary code.
According to the disclosure, βThis makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.β
In other words, no login is required β an attacker only needs to hit the vulnerable endpoint to:
- Upload a webshell
- Create a rogue admin account
- Modify theme files
- Take over the entire site
- Pivot deeper into the hosting environment
For WordPress site owners, this is the most severe type of vulnerability possible.
Security firm Wordfence confirmed that threat actors are already scanning and exploiting the flaw across the internet.
In the last day alone, βWordfence blocked 491 attacks targeting this vulnerability in the past 24 hours.β
This rapid uptick suggests automated botnets and opportunistic actors are actively incorporating CVE-2025-6389 into their exploit kits.
The developers have released Sneeit Framework version 8.4, which patches the vulnerable code path.
Related Posts:
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
- WordPress Releases Urgent Security Patch β Update Immediately!
- Unpatched WordPress bug puts your website at risk
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
