Find notable cyber news and cases, enriched with sources, timelines, and signals.

Sneeit Framework plugin for WordPress actively exploited RCE flaw (CVE-2025-6389)

Vulnerability
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-6389 is an actively exploited remote code execution flaw in the Sneeit Framework plugin for WordPress that affects versions prior to and including 8.3, putting more than 1,700 active installations at risk of admin takeover and backdoor deployment. The issue was patched in version 8.4, but exploitation was already underway by November 24, 2025.

Related Happenings

Everest Forms Pro CVE-2026-3300 active exploitation wave

Exploitation Wave
H score87 First: 05.06.2026 11:38 Last: 05.06.2026 11:38 Sources 1

About this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

XWiki cryptocurrency miner deployment via two-pass exploitation

Malware Activity
H score33 First: 29.10.2025 12:53 Last: 29.10.2025 12:53 Sources 1

About this happening: The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...

WordPress plugin exploitation wave (GutenKit and Hunk Companion)

Exploitation Wave
H score55 First: 24.10.2025 22:28 Last: 24.10.2025 22:28 Sources 1

About this happening: **WordPress** sites are facing a broad **exploitation wave** against **GutenKit** and **Hunk Companion** plugin flaws, with **Wordfence** blocking **8.7 million attack attempts**...

CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008

Public Sector Action
H score36 First: 03.10.2025 11:23 Last: 03.10.2025 11:23 Sources 1

About this happening: CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...

Timeline

  1. 08.12.2025 11:15 1 articles · 7mo ago

    Sneeit Framework 8.4 patches CVE-2025-6389

    Mitigation Patch Update

    Version 8.4 of the Sneeit Framework plugin for WordPress, released on August 5, 2025, fixes CVE-2025-6389, a CVSS 9.8 remote code execution flaw affecting all versions prior to and including 8.3. The weakness comes from sneeit_articles_pagination_callback() accepting user input and passing it to call_user_func(), which can let unauthenticated attackers execute code on the server and enable backdoors or malicious administrator creation.

    Show sources
  2. 08.12.2025 11:15 2 articles · 7mo ago

    CVE-2025-6389 in-the-wild exploitation targets Sneeit Framework sites

    Exploitation Observed

    On November 24, 2025, attackers began exploiting CVE-2025-6389 against WordPress sites using the Sneeit Framework plugin, sending crafted requests to /wp-admin/admin-ajax.php to create malicious administrator accounts such as "arudikadis" and upload PHP payloads such as "tijtewmg.php" and "xL.php". Wordfence said it blocked more than 131,000 attempts targeting the flaw, and the observed files supported backdoor access and file manipulation on compromised hosts.

    Show sources
  3. 08.12.2025 11:15 1 articles · 7mo ago

    Wordfence discloses active exploitation of CVE-2025-6389

    Initial Disclosure

    On December 8, 2025, Wordfence characterized CVE-2025-6389 as actively exploited in the wild, said exploitation began on November 24, 2025, and reported that more than 131,000 attempts had been blocked against Sneeit Framework plugin installations. The disclosure tied the flaw to unauthenticated code execution through sneeit_articles_pagination_callback(), warning that attackers could create new administrative accounts and deploy backdoors.

    Show sources