top of page
Search

Devastating WordPress Vulnerability (CVE-2025-6389) Enables Unauthenticated Remote Code Execution

  • Dec 4, 2025
  • 1 min read

Key Findings


  • A critical Remote Code Execution (RCE) vulnerability has been discovered in the Sneeit Framework, a core plugin bundled with multiple premium WordPress themes.

  • The vulnerability (CVE-2025-6389) allows unauthenticated users to take complete control of a server.

  • Threat actors started exploiting the issue on the same day it was publicly disclosed on November 24th, 2025.

  • The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability.


Background


The vulnerability resides in the `sneeit_articles_pagination_callback()` function, which accepts user input and passes it through `call_user_func()` without proper sanitization or restriction. This allows attackers to call arbitrary PHP functions with arbitrary parameters, effectively granting them full control of the system.


Privilege Escalation Attempts


Attackers are attempting to leverage the flaw to add new malicious administrative user accounts, escalating their privileges on the compromised sites.


Backdoor Installation


Hackers are also using the vulnerability to upload malicious PHP files, often disguised to look like legitimate system files. These include `xL.php`, `Canonical.php`, and `.a.php`, which provide a range of capabilities such as directory scanning, file deletion, and zip file extraction.


Indicators of Compromise


The report identifies several high-traffic IP addresses used in the attacks:


  • 185.125.50.59 (Responsible for over 74,000 requests)

  • 182.8.226.51 (Over 24,000 requests)


The researchers also recommend watching for the following malicious files:


  • `xL.php`

  • `up_sf.php`

  • `tijtewmg.php`

  • A malicious `.htaccess` file referencing specific extensions like `.py`, `.exe`, or `.phtml`.


Mitigation


The vendor has patched this flaw in version 8.4 of the Sneeit Framework. If you are using a version up to and including 8.3, you are at risk and should upgrade immediately.


Sources


  • https://securityonline.info/critical-wordpress-flaw-cve-2025-6389-under-active-exploitation-allows-unauthenticated-rce/

  • https://securityonline.info/catastrophic-react-flaw-cve-2025-55182-cvss-10-0-allows-unauthenticated-rce-on-next-js-and-server-components/

  • https://x.com/fridaysecurity/status/1996406236246577564

  • https://x.com/the_yellow_fall/status/1996405953059860853

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page