Critical WordPress Flaw (CVE-2025-6389) Under Active Exploitation Allows Unauthenticated RCE
Ddos 
A critical Remote Code Execution (RCE) vulnerability has been discovered in the Sneeit Framework, a core plugin bundled with multiple premium themes. While the patch was quietly released in August, the public disclosure on November 24th, 2025, triggered an immediate onslaught of attacks.
According to security researchers at Wordfence, the reaction from threat actors was instantaneous. “Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025”. The scale of this campaign is staggering, with the Wordfence Firewall having “already blocked over 131,000 exploit attempts targeting this vulnerability.”
At the heart of this vulnerability (CVE-2025-6389) is a coding error that allows unauthenticated users to take complete control of a server. The issue resides in the sneeit_articles_pagination_callback() function.
The report details exactly why this function is so dangerous: “This is due to the function accepting user input and then passing that through call_user_func().”
Because the plugin fails to sanitize or restrict this input, “the attacker can call an arbitrary PHP function through the ‘callback’ parameter with arbitrary function parameters passed through the ‘args’ parameter”. This effectively hands the keys to the kingdom to any hacker who asks for them.
Attackers are not just testing the waters; they are actively attempting to seize control of sites. The report highlights two primary objectives:
- Privilege Escalation: “The following request attempts to add a new malicious administrative user account”.
- Backdoor Installation: Attackers are using the flaw to upload malicious PHP files, often disguised to look like legitimate system files.
One of the most insidious tactics observed is the use of malware named xL.php, Canonical.php, or .a.php. To evade detection, these files include “a comment block which is found in the legitimate WordPress core file canonical.php in the wp-includes directory.”
Once installed, this malware is a Swiss Army knife for hackers, featuring “a directory scanner, file deletion capabilities, and allows for the extraction of zip files.”
If you are running the Sneeit Framework, you need to check your logs immediately. The report identifies several high-traffic IP addresses used in these attacks:
- 185.125.50.59 (Responsible for over 74,000 requests)
- 182.8.226.51 (Over 24,000 requests)
Files to Watch For:
- xL.php
- up_sf.php
- tijtewmg.php
- A malicious .htaccess file referencing specific extensions like .py, .exe, or .phtml.
The vendor has patched this flaw in version 8.4. If you are using a version up to and including 8.3, you are at risk.
Donate