- WordFence disclosed critical RCE flaw (CVE-2025-6389) in Sneeit Framework plugin, affecting versions ≤8.3
- Exploitation allows attackers to create admin accounts, install malicious plugins, and hijack WordPress sites
- Users urged to update to v8.4, monitor for rogue admins, suspicious PHP files, and malicious AJAX activity
Security researchers from WordFence have warned about a critical-severity vulnerability in a popular plugin which allows threat actors to add themselves as admins on WordPress sites.
In a security advisory published last week, WordFence said it found a remote code execution (RCE) bug in Sneeit Framework, a backend toolkit WordPress admins use to manage theme options, layouts, and custom features. The bug is tracked as CVE-2025-6389, was given a severity score 9.8/10 (critical) and affects all versions of the plugin prior to, and including, 8.3.
Version 8.4, released in early August 2025, is not affected. According to The Hacker News, the plugin currently has more than 1,700 active installations.
How to stay safe
Explaining how the vulnerability works, WordFence said that malicious actors could call an arbitrary PHP function and have it create a new admin user, which the attackers can then use to take full control over the target website. After that, they can easily install malicious plugins, add data scrapers, redirect victims to other sites, introduce phishing landing pages, and more.
Criminals reportedly started exploiting the flaw the moment it was publicly announced. The very first day, WordFence blocked more than 131,000 attacks, and even today, the number of daily attacks hovers at around 15,000.
The best way to remain safe from this vulnerability is to update the plugin to version 8.4. Users are also advised to keep their WordPress platform, as well as all other plugins and themes, updated at all times. Furthermore, all elements that are not in use should be deleted from the platform.
There are also indicators of compromise that webmasters should look out for – such as the appearance of a new, unauthorized WordPress admin account, created through the vulnerable AJAX callback.
Another red flag is the presence of malicious PHP files uploaded to the server, including webshells named xL.php, Canonical.php, .a.php, simple.php, or up_sf.php, as well as suspicious .htaccess files designed to allow execution of dangerous file types.
Compromised sites may also contain files like finderdata.txt or goodfinderdata.txt, generated by the attacker’s shell-finder tool. Log files showing successful AJAX requests from known attacking IPs — such as 185.125.50.59, 182.8.226.51, 89.187.175.80, and others listed in the report are another strong indicator that the vulnerability was used to access the site.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
