Threat actors are actively exploiting a critical remote code execution vulnerability in the Sneeit Framework WordPress plugin, putting thousands of websites at immediate risk. The vulnerability, identified as CVE-2025-6389, carries a severe CVSS score of 9.8 and affects versions 8.3 and earlier of the plugin, which is used in approximately 1,700 active installations globally.
Discovered on June 10th, 2025, and reported to the vendor, the flaw was publicly disclosed on November 24th, 2025. Coincidentally, threat actors commenced their exploitation attempts on the very same day, targeting unpatched websites worldwide. Security analysts at Wordfence reported blocking over 131,000 exploit attempts since the public disclosure, highlighting the widespread and immediate nature of this cybersecurity threat.
Exploitation Mechanics and Attack Vectors Fueling Sneeit Framework Vulnerability
The Sneeit Framework vulnerability arises from inadequate input validation within the sneeitarticlespaginationcallback function. This function processes user-supplied parameters without sufficient restrictions, creating an opening for attackers. Threat actors are leveraging this flaw by sending specially crafted AJAX requests to the wp-admin/admin-ajax.php endpoint. By manipulating the callback and args parameters within these requests, they can execute arbitrary PHP code directly on the compromised server.
Exploitation campaigns typically begin with reconnaissance. Attackers use the phpinfo function to gather crucial information about the target server. Following this initial phase, they proceed to inject malicious code, often through POST requests directed at the AJAX handler. The primary objectives appear to be the creation of unauthorized administrator accounts to gain full control of the website, or the installation of persistent backdoor access through the upload of malicious PHP files.
One of the prevalent attack methods observed involves the use of the wp_insert_user function. This allows attackers to create new administrative accounts, effectively handing them complete control over the website. This unauthorized access can lead to a complete compromise of the site, including data theft and further malicious activities.
In addition to creating new user accounts, attackers are also deploying malicious PHP files, often named with generic identifiers such as xL.php, Canonical.php, and tijtewmg.php. These files are not merely simple scripts; they are described as containing sophisticated functionalities. These include the ability to scan directories, manage files, extract ZIP archives, and modify file permissions on the server. The associated malware samples, such as upsf.php, are capable of downloading additional malicious payloads from attacker-controlled domains like racoonlab.top, creating a complex and layered attack infrastructure.
These downloaded shells often facilitate the creation of malicious .htaccess files. On Apache servers, these modified .htaccess files can be used to bypass normal upload directory restrictions, enabling the further deployment of malware and the establishment of a more entrenched presence on the victim’s system. This sophisticated approach underscores the critical nature of the Sneeit Framework vulnerability.
The Sneeit Framework development team released a patched version, 8.4, on August 5th, 2025. However, the public disclosure of the vulnerability on November 24th, 2025, coincided with the surge in active exploitation. Wordfence began providing firewall protection for premium users on June 23rd, 2025, and extended this protection to free users on July 23rd, 2025, indicating proactive security measures were in place prior to the widespread attacks.
The implications of this vulnerability are severe. Unpatched websites are susceptible to complete site compromise, unauthorized creation of administrative accounts, and the installation of persistent backdoors. Data theft and the use of compromised websites for further malicious activities are significant risks. Indicators of compromise include the appearance of newly added administrator accounts, the presence of malicious PHP files, and modified .htaccess files.
Website owners are strongly advised to update their Sneeit Framework plugin to version 8.4 or a later release as a matter of urgency. This update is the most critical step in mitigating the risk posed by CVE-2025-6389 and protecting against further exploitation. The ongoing nature of these attacks means that delaying this update leaves websites vulnerable to immediate compromise.