A critical Remote Code Execution (RCE) vulnerability affecting the Sneeit framework — a core plugin bundled with many premium themes — is currently being exploited to take full control of WordPress websites. Although a patch was quietly released in August 2025, the public disclosure on November 24 triggered an immediate and large-scale wave of automated attacks.

Background

The Sneeit Framework is widely distributed across premium themes, including FlatNews, a highly popular editorial and magazine-style theme. Installed on several thousand websites, it provides advanced pagination features, content display logic, and internal utilities used by the themes.

The vulnerable component relies on an internal callback mechanism used during dynamic article loading.

Vulnerability Details

The CVE-2025-6389 vulnerability (CVSS 9.8) stems from a design flaw in the internal function sneeit_articles_pagination_callback().

This function accepts parameters supplied by the user and passes them directly into call_user_func() without any validation or restriction.

As a result, an unauthenticated attacker can call any PHP function available on the server with arbitrary parameters, using the callback and args fields — effectively enabling remote code execution (RCE) without requiring authentication.

Observed Exploitation

Compromises have already been observed, and the malicious payloads are diverse:

1. Creation of malicious administrator accounts

Requests targeting the vulnerable callback attempt to inject a new administrative user to immediately gain access to the WordPress backend.

2. Deployment of PHP backdoors

Attackers upload PHP files disguised as system components, such as:

  • xL.php
  • Canonical.php
  • .a.php
  • tijtewmg.php
  • up_sf.php

To evade detection, some malicious files mimic the signature of legitimate WordPress core files (such as canonical.php) by copying its initial comment block.

Indicators of Compromise

If your site uses the Sneeit Framework, immediately inspect the following:

Suspicious files to look for

  • xL.php
  • up_sf.php
  • tijtewmg.php
  • Canonical.php or abnormal variants
  • Any recently modified .php files in /wp-content/ or /wp-includes/

Abnormal .htaccess files

Some attackers deploy an .htaccess file containing rules targeting specific file extensions (e.g., .py, .exe, .phtml) to facilitate arbitrary file execution.

IP addresses frequently linked to attacks

Some automated infrastructures have generated extremely high volumes of malicious requests, including:

  • 185.125.50.59 (over 74,000 attempts)
  • 182.8.226.51 (over 24,000 attempts)

Remediation Measures

  • Immediately update the Sneeit Framework to version 8.4 or later. All versions ≤ 8.3 are vulnerable.
  • Review recently modified files

The CVE-2025-6389 vulnerability is already monitored within Seckhmet.

BackdoorCVE-2025-6389RCERemote Code ExecutionSecurity AdvisoryWordPress SecurityWordPress Vulnerability
By English, TechLeave a Comment on Critical vulnerability in the WordPress Sneeit framework: unauthenticated code execution (CVE-2025-6389) actively exploited

Leave a Reply

Your email address will not be published. Required fields are marked *