Sneeit Framework plugin for WordPress actively exploited RCE flaw (CVE-2025-6389)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-6389 is an actively exploited remote code execution flaw in the Sneeit Framework plugin for WordPress that affects versions prior to and including 8.3, putting more than 1,700 active installations at risk of admin takeover and backdoor deployment. The issue was patched in version 8.4, but exploitation was already underway by November 24, 2025.
Related Happenings
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
XWiki cryptocurrency miner deployment via two-pass exploitation
Malware Activity
H score33
First: 29.10.2025 12:53
Last: 29.10.2025 12:53
Sources 1
About this happening:
The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...
XWiki cryptocurrency miner deployment via two-pass exploitation
Malware ActivityAbout this happening: The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...
WordPress plugin exploitation wave (GutenKit and Hunk Companion)
Exploitation Wave
H score55
First: 24.10.2025 22:28
Last: 24.10.2025 22:28
Sources 1
About this happening:
**WordPress** sites are facing a broad **exploitation wave** against **GutenKit** and **Hunk Companion** plugin flaws, with **Wordfence** blocking **8.7 million attack attempts**...
WordPress plugin exploitation wave (GutenKit and Hunk Companion)
Exploitation WaveAbout this happening: **WordPress** sites are facing a broad **exploitation wave** against **GutenKit** and **Hunk Companion** plugin flaws, with **Wordfence** blocking **8.7 million attack attempts**...
CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008
Public Sector Action
H score36
First: 03.10.2025 11:23
Last: 03.10.2025 11:23
Sources 1
About this happening:
CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...
CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008
Public Sector ActionAbout this happening: CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...
Timeline
-
08.12.2025 11:15 1 articles · 7mo ago
Sneeit Framework 8.4 patches CVE-2025-6389
Mitigation Patch UpdateVersion 8.4 of the Sneeit Framework plugin for WordPress, released on August 5, 2025, fixes CVE-2025-6389, a CVSS 9.8 remote code execution flaw affecting all versions prior to and including 8.3. The weakness comes from sneeit_articles_pagination_callback() accepting user input and passing it to call_user_func(), which can let unauthenticated attackers execute code on the server and enable backdoors or malicious administrator creation.
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
-
08.12.2025 11:15 2 articles · 7mo ago
CVE-2025-6389 in-the-wild exploitation targets Sneeit Framework sites
Exploitation ObservedOn November 24, 2025, attackers began exploiting CVE-2025-6389 against WordPress sites using the Sneeit Framework plugin, sending crafted requests to /wp-admin/admin-ajax.php to create malicious administrator accounts such as "arudikadis" and upload PHP payloads such as "tijtewmg.php" and "xL.php". Wordfence said it blocked more than 131,000 attempts targeting the flaw, and the observed files supported backdoor access and file manipulation on compromised hosts.
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15
-
08.12.2025 11:15 1 articles · 7mo ago
Wordfence discloses active exploitation of CVE-2025-6389
Initial DisclosureOn December 8, 2025, Wordfence characterized CVE-2025-6389 as actively exploited in the wild, said exploitation began on November 24, 2025, and reported that more than 131,000 attempts had been blocked against Sneeit Framework plugin installations. The disclosure tied the flaw to unauthenticated code execution through sneeit_articles_pagination_callback(), warning that attackers could create new administrative accounts and deploy backdoors.
Show sources
- Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks — thehackernews.com — 08.12.2025 11:15