- WordFence has discovered a critical RCE flaw (CVE-2025-6389) in the Sneeit Framework plugin affecting versions ≤8.3
- Exploitation allows attackers to create administrator accounts, install malicious plugins, and hack into WordPress sites.
- Users are advised to update to version 8.4 and watch out for malicious administrators, suspicious PHP files and malicious AJAX activity.
Security researchers at WordFence have warned of a critical vulnerability in a popular plugin that allows malicious authors to add themselves as administrators to WordPress sites.
In a security advisory published last week, WordFence said it had discovered a remote code execution (RCE) vulnerability in the Sneeit Framework, a set of backend tools that WordPress administrators use to manage theme options, layouts and custom features. The bug is tracked as CVE-2025-6389, has a severity rating of 9.8/10 (Critical), and affects all versions of the plugin prior to and including 8.3.
Version 8.4, which was released in early August 2025, is not affected. According to The Hacker News, the plugin currently has over 1,700 active installs.
How to stay safe
Explaining how the vulnerability works, WordFence said that attackers can call any PHP function and ask it to create a new administrator, which attackers can use to take full control of the targeted website. Then they can easily install malicious plugins, add data scrapers, redirect victims to other websites, introduce phishing landing pages, etc.
Criminals reportedly began exploiting this vulnerability as soon as it became public. On the first day, WordFence blocked more than 131,000 attacks and today the number of daily attacks is still around 15,000.
The best way to protect yourself from this vulnerability is to update the plugin to version 8.4. Users are also advised to always keep their WordPress platform and all other plugins and themes up to date. Additionally, all unused items must be removed from the platform.
There are also signs of compromise that webmasters should be on the lookout for, such as the emergence of a new unauthorized WordPress admin account created by the vulnerable AJAX callback.
Another red flag is the presence of malicious PHP files uploaded to the server, including web shells called xL.php, Canonical.php, .a.php, simple.php or up_sf.php, as well as suspicious .htaccess files designed to enable the execution of dangerous file types.
Even compromised websites can contain files like finderdata.txt or goodfinderdata.txt, generated by the attacker’s shell scanning tool. Logs of successful AJAX requests from known attacking IP addresses such as 185.125.50.59, 182.8.226.51, 89.187.175.80 and others mentioned in the report are another strong indicator that the vulnerability has been exploited to gain access to the website.
IN hacker news
