WordFence Exposes Severe RCE Vulnerability in Sneeit Framework Plugin
- Critical RCE vulnerability (CVE-2025-6389) identified in the Sneeit Framework plugin, affecting versions ≤8.3.
- Exploitation enables attackers to create unauthorized admin accounts, install harmful plugins, and seize control of WordPress sites.
- Users are advised to upgrade to v8.4 and to monitor for rogue admin accounts, dubious PHP files, and malicious AJAX activities
Cybersecurity specialists at WordFence have issued a stern warning regarding a critical vulnerability present in a widely used WordPress plugin, which permits threat actors to elevate themselves to administrator status on WordPress sites.
In a security bulletin released last week, WordFence detailed the discovery of a remote code execution (RCE) flaw within the Sneeit Framework—a backend toolkit employed by WordPress administrators for theme management and feature customization.
This bug, cataloged as CVE-2025-6389, boasts a severity rating of 9.8 out of 10, and jeopardizes all versions of the plugin up to and including 8.3.
The most recent update, version 8.4, launched in early August 2025, rectifies this vulnerability. Reports indicate that the plugin presently supports over 1,700 active installations.
Staying Safe from Exploitation
WordFence elucidated the mechanics behind this vulnerability, explaining that malicious actors can invoke arbitrary PHP functions, enabling them to generate new admin users, thereby facilitating total control over the targeted website.
The implications are severe, as attackers can install harmful plugins, deploy data-mining scripts, redirect users to malicious sites, and create phishing landing pages, among other nefarious activities.
Notably, exploitation attempts commenced immediately upon the vulnerability’s public disclosure. On the first day alone, WordFence thwarted over 131,000 attacks, and even today, daily assault rates hover at approximately 15,000.
The most effective mitigation strategy involves promptly updating the plugin to version 8.4. Users are also encouraged to consistently maintain the WordPress platform, as well as all plugins and themes, in their latest versions. Moreover, any unused components should be purged from the platform.
Webmasters should also remain vigilant for specific indicators of compromise. These include the emergence of unauthorized WordPress admin accounts, created via the vulnerable AJAX callback mechanism.
Another warning sign includes the presence of nefarious PHP files on servers, such as webshells named xL.php, Canonical.php, .a.php, simple.php, or up_sf.php, along with suspicious .htaccess files designed to enable the execution of potentially harmful file types.
Additionally, compromised sites might harbor files such as finderdata.txt or goodfinderdata.txt, which are generated by the attacker’s shell-finder utility.
Log files that record successful AJAX requests originating from known malicious IPs—such as 185.125.50.59, 182.8.226.51, 89.187.175.80, amongst others noted in the report—serve as strong indicators of this vulnerability’s exploitation.
Source link: Techradar.com.
