"The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations. "This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func()," Wordfence said."
"In other words, the vulnerability can be leveraged to call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator user, which an attacker can then weaponize to seize control of the site and inject malicious code that can redirect site visitors to other sketchy sites, malware, or spam. Wordfence said in-the-wild exploitation commenced on November 24, 2025, the same day it was publicly disclosed, with the company blocking over 131,000 attempts targeting the flaw."
CVE-2025-6389 is a remote code execution vulnerability in the Sneeit Framework WordPress plugin that affects all versions up to and including 8.3. Version 8.4, released on August 5, 2025, contains a patch. The vulnerability exists because sneeit_articles_pagination_callback() accepts user input and passes it to call_user_func(), enabling execution of arbitrary PHP functions. Exploits can create administrative users, upload backdoors, and inject malicious PHP files to control sites or redirect visitors. Active exploitation began on November 24, 2025, with Wordfence blocking over 131,000 attempts and recording thousands of attacks per day. Malicious payloads include file managers and tools to scan, edit, delete, and extract files.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]