- WordFence disclosed critical RCE flaw (CVE-2025-6389) in Sneeit Framework plugin affecting versions ≤8.3
- Exploit allows attackers to create administrator accounts, install malicious plugins, and hijack WordPress sites
- Users are encouraged to update to v8.4, monitor for rogue admins, suspicious PHP files and malicious AJAX activity
Security researchers from WordFence have warned of a critical vulnerability in a popular plugin that allows threat actors to add themselves as administrators on WordPress websites.
In a security advisory published last week, WordFence said it found a remote code execution (RCE) flaw in the Sneeit Framework, a backend toolkit that WordPress administrators use to manage theme settings, layouts and custom features. The bug is tracked as CVE-2025-6389, received a severity rating of 9.8/10 (Critical), and affects all versions of the plugin prior to and including 8.3.
Version 8.4, released in early August 2025, is not affected. According to The Hacker News, the plugin currently has more than 1,700 active installations.
How to stay safe
To explain how the vulnerability works, WordFence said malicious actors could call an arbitrary PHP function and have it create a new admin user, which the attackers could then use to take full control of the target website. Then they can easily install malicious plugins, add data scrapers, redirect victims to other websites, introduce phishing landing pages and more.
Criminals reportedly began exploiting the flaw the moment it was made public. On the very first day, WordFence blocked more than 131,000 attacks, and even today the number of daily attacks is around 15,000.
The best way to stay safe from this vulnerability is to update the plugin to version 8.4. Users are also advised to keep their WordPress platform, as well as all other plugins and themes, up to date at all times. In addition, all elements that are not in use must be deleted from the platform.
There are also indicators of compromise that webmasters should watch for – such as the appearance of a new, unauthorized WordPress admin account, created through the vulnerable AJAX callback.
Another red flag is the presence of malicious PHP files uploaded to the server, including webshells named xL.php, Canonical.php, .a.php, simple.php or up_sf.php, as well as suspicious .htaccess files designed to allow the execution of dangerous file types.
Compromised websites may also contain files like finderdata.txt or goodfinderdata.txt, generated by the attacker’s shell-finder tool. Logs showing successful AJAX requests from known attacker IPs – such as 185.125.50.59, 182.8.226.51, 89.187.175.80 and others listed in the report are another strong indicator that the vulnerability was used to access the site.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
