Critical remote code execution flaw in Sneeit Framework WordPress Plugin actively exploited
Take action: If you're using the Sneeit Framework WordPress plugin, immediately update to version 8.4 or later. Your site is vulnerable and is actively attacked. Check your WordPress site for unauthorized administrator accounts (especially username "arudikadis") and suspicious PHP files in your uploads directory to ensure you haven't been compromised.
Learn More
A critical remote code execution vulnerability in the Sneeit Framework WordPress plugin is under mass exploitation by threat actors. Over 131,000 attack attempts blocked since public disclosure.
The vulnerability is tracked as CVE-2025-6389 (CVSS score 9.8) and is caused by the sneeit_articles_pagination_callback() function within the plugin's code, which accepts user-supplied input through the 'callback' parameter and passes it directly to PHP's call_user_func() function without any validation or sanitization.
The function also retrieves data from the 'args' parameter, which is supplied via user input and decoded from JSON format. This design flaw allows unauthenticated threat actors to call arbitrary PHP functions with arbitrary parameters, effectively enabling complete remote code execution on the target server.
Attackers can use this vulnerability to create new administrator accounts using the wp_insert_user() function, upload webshells and backdoors to maintain persistent access, modify theme files, steal sensitive data.
The fla affects all versions of the plugin up to and including version 8.3. The vulnerability was initially reported to Wordfence on June 10th, 2025, and the vendor released a patched version 8.4 on August 5th, 2025. The flaw remained largely unknown until Wordfence publicly disclosed it in their Intelligence Vulnerability Database on November 24th, 2025.
Attackers began mass exploitation campaigns the same day. The Wordfence firewall has blocked over 131,000 exploit attempts targeting this vulnerability since disclosure. Attackers are employing multiple exploitation techniques:
- attempts to create malicious administrator accounts with credentials such as user login "arudikadis" and email addresses at suspicious domains like "qjerry.top,"
- uploading malicious PHP files with names like "tijtewmg.php" likely containing backdoors by executing system commands through curl,
- probing vulnerable sites using phpinfo() to confirm successful exploitation.
Seven IP addresses have been identified as the most active sources of attacks, with 185.125.50.59 accounting for over 74,000 blocked requests, 182.8.226.51 responsible for over 24,200 blocked requests, and 89.187.175.80 generating over 4,600 blocked requests. The remaining highly active attacking IPs include 194.104.147.192, 196.251.100.39, 114.10.116.226, and 116.234.108.143.
Administrators are strongly urged to immediately update the Sneeit Framework plugin to version 8.4 or later to eliminate the vulnerability and maintain normal functionality.
Site owners should immediately review their WordPress installations for signs of compromise, including unauthorized administrator accounts, suspicious PHP files in upload directories or the web root, modified .htaccess files, and unusual entries in access logs corresponding to the identified attacking IP addresses.
