Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sneeit Framework plugin for WordPress actively exploited RCE flaw (CVE-2025-6389)

Vulnerability
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-6389 is an actively exploited remote code execution flaw in the Sneeit Framework plugin for WordPress that affects versions prior to and including 8.3, putting more than 1,700 active installations at risk of admin takeover and backdoor deployment. The issue was patched in version 8.4, but exploitation was already underway by November 24, 2025.

Related Happenings

XWiki cryptocurrency miner deployment via two-pass exploitation

Malware Activity
First: 29.10.2025 12:53 Last: 29.10.2025 12:53 Sources 1

About this happening: The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...

Open Happening

WordPress plugin exploitation wave (GutenKit and Hunk Companion)

Exploitation Wave
First: 24.10.2025 22:28 Last: 24.10.2025 22:28 Sources 1

About this happening: **WordPress** sites are facing a broad **exploitation wave** against **GutenKit** and **Hunk Companion** plugin flaws, with **Wordfence** blocking **8.7 million attack attempts**...

Open Happening

CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008

Public Sector Action
First: 03.10.2025 11:23 Last: 03.10.2025 11:23 Sources 1

About this happening: CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...

Open Happening

Timeline

  1. 08.12.2025 11:15 1 articles · 5mo ago

    Sneeit Framework 8.4 patches CVE-2025-6389

    Mitigation Patch Update

    Version 8.4 of the Sneeit Framework plugin for WordPress, released on August 5, 2025, fixes CVE-2025-6389, a CVSS 9.8 remote code execution flaw affecting all versions prior to and including 8.3. The weakness comes from sneeit_articles_pagination_callback() accepting user input and passing it to call_user_func(), which can let unauthenticated attackers execute code on the server and enable backdoors or malicious administrator creation.

    Show sources
    Open in new tab
  2. 08.12.2025 11:15 2 articles · 5mo ago

    CVE-2025-6389 in-the-wild exploitation targets Sneeit Framework sites

    Exploitation Observed

    On November 24, 2025, attackers began exploiting CVE-2025-6389 against WordPress sites using the Sneeit Framework plugin, sending crafted requests to /wp-admin/admin-ajax.php to create malicious administrator accounts such as "arudikadis" and upload PHP payloads such as "tijtewmg.php" and "xL.php". Wordfence said it blocked more than 131,000 attempts targeting the flaw, and the observed files supported backdoor access and file manipulation on compromised hosts.

    Show sources
    Open in new tab
  3. 08.12.2025 11:15 1 articles · 5mo ago

    Wordfence discloses active exploitation of CVE-2025-6389

    Initial Disclosure

    On December 8, 2025, Wordfence characterized CVE-2025-6389 as actively exploited in the wild, said exploitation began on November 24, 2025, and reported that more than 131,000 attempts had been blocked against Sneeit Framework plugin installations. The disclosure tied the flaw to unauthenticated code execution through sneeit_articles_pagination_callback(), warning that attackers could create new administrative accounts and deploy backdoors.

    Show sources
    Open in new tab