Critical WordPress Plugin Vulnerability: Sneeit Framework Under Active Exploitation

04.12.2025 siteguarding2

A critical remote code execution vulnerability (CVE-2025-6389) affecting the Sneeit Framework WordPress plugin is being actively exploited by threat actors worldwide. With a maximum CVSS score of 9.8, this unauthenticated RCE flaw allows attackers to execute arbitrary PHP code on vulnerable WordPress installations, leading to complete site compromise. Over 131,000 exploitation attempts have been blocked since the vulnerability’s public disclosure on November 24, 2025, targeting approximately 1,700 active installations.

Vulnerability Overview

Technical Classification

Parameter	Details
CVE ID	CVE-2025-6389
CVSS Score	9.8 (Critical)
Vulnerability Type	Unauthenticated Remote Code Execution
Affected Plugin	Sneeit Framework
Vulnerable Versions	8.3 and earlier
Patched Version	8.4+
Active Installations	~1,700 WordPress sites
Authentication Required	No
Discovery Date	June 10, 2025
Patch Release	August 5, 2025
Public Disclosure	November 24, 2025
Exploitation Started	November 24, 2025 (same day)

Timeline of Events

Date	Event
June 10, 2025	Vulnerability discovered by security researcher Tonn
June 23, 2025	Wordfence premium users receive firewall protection
July 23, 2025	Wordfence free users receive protection
August 5, 2025	Vendor releases patched version 8.4
November 24, 2025	Public vulnerability disclosure
November 24, 2025	Active exploitation campaigns begin
December 2025	131,000+ blocked exploitation attempts recorded

Technical Analysis

Root Cause

The vulnerability originates from insufficient input validation in the sneeitarticlespaginationcallback function. The plugin processes user-supplied parameters through PHP’s call_user_func without proper sanitization or restriction, creating a direct pathway for arbitrary code execution.

Vulnerable Code Pattern:

sneeitarticlespaginationcallback function:
- Accepts callback parameter (user-controlled)
- Accepts args parameter (user-controlled)
- Passes directly to call_user_func without validation
- No authentication checks implemented

Attack Vector Details

Attackers exploit this vulnerability by sending specially crafted AJAX POST requests to the WordPress administrative endpoint:

Target Endpoint: wp-admin/admin-ajax.php

Exploitation Parameters:

action: sneeitarticlespaginationcallback
callback: arbitrary PHP function name
args: malicious parameters/code

Attack Methodology

Phase	Action	Purpose
1. Reconnaissance	Execute phpinfo() function	Gather server configuration details
2. Persistence	Create admin accounts via wp_insert_user	Establish permanent access
3. Backdoor Installation	Upload malicious PHP files	Deploy web shells and management tools
4. Privilege Escalation	Modify .htaccess files	Bypass upload restrictions
5. Lateral Movement	Deploy additional payloads	Expand control and data exfiltration

Known Malicious Files and IOC

Malware Signatures

Filename	Type	Functionality
`xL.php`	Web Shell	Remote command execution, file management
`Canonical.php`	Backdoor	Directory scanning, permission modification
`upsf.php`	Downloader	Fetches additional payloads from C2 server
`tijtewmg.php`	Web Shell	File upload/download, zip extraction
`finderdata.txt`	Data File	Attacker reconnaissance data storage
`goodfinderdata.txt`	Data File	Compromised site inventory

Command and Control Infrastructure

Indicator Type	Value	Purpose
Domain	racoonlab.top	Malware distribution and C2
Primary Attack IP	185.125.50.59	74,000+ blocked requests
Secondary IP	182.8.226.51	24,200+ blocked requests
Tertiary IP	89.187.175.80	4,600+ blocked requests

Indicators of Compromise

Website administrators should check for the following IOCs:

1. User Account Anomalies

Newly created administrator accounts with suspicious usernames
Accounts created outside normal business hours
Multiple admin accounts from same IP address

2. Filesystem Changes

Presence of unknown PHP files in WordPress directories
Modified .htaccess files in upload directories
New directories with random alphanumeric names
Files with execution permissions in upload folders

3. Log File Indicators

POST requests to admin-ajax.php with callback/args parameters
Requests from known malicious IP addresses
phpinfo() execution in access logs
wp_insert_user function calls from external sources

4. Network Indicators

Outbound connections to racoonlab.top
Unusual traffic patterns to admin-ajax.php endpoint
Multiple failed authentication attempts followed by successful admin creation

Impact Assessment

Risk Severity Matrix

Impact Category	Severity	Details
Confidentiality	Critical	Complete database access, credential theft
Integrity	Critical	Malicious content injection, defacement
Availability	High	Site downtime, resource exhaustion attacks
Financial	High	Data breach costs, recovery expenses
Reputation	High	SEO poisoning, malware distribution
Legal/Compliance	Medium-High	Data protection violations, PCI DSS issues

Attack Consequences

Immediate Threats:

Complete WordPress installation compromise
Unauthorized administrative access
Malware and web shell deployment
Database manipulation and data exfiltration
SEO spam injection
Malicious redirect implementation

Long-term Risks:

Persistent backdoor access
Site used for phishing campaigns
Distribution point for malware
Search engine blacklisting
Customer data breaches
Regulatory compliance violations

Mitigation and Remediation

Immediate Actions Required

Priority 1: Update Plugin (Critical)

Backup your WordPress installation and database
Update Sneeit Framework to version 8.4 or later immediately
If plugin is no longer needed, deactivate and delete completely
Verify plugin version after update: wp plugin list --format=table

Priority 2: Security Audit (Urgent)

Check for compromise indicators:

# Search for malicious PHP files
find /path/to/wordpress -name "xL.php" -o -name "Canonical.php" -o -name "upsf.php" -o -name "tijtewmg.php"

# Check for suspicious admin accounts
wp user list --role=administrator --format=table

# Review recent file modifications
find /path/to/wordpress -type f -mtime -7 -ls

# Scan for base64 encoded content (common in backdoors)
grep -r "base64_decode" /path/to/wordpress/wp-content/plugins/
grep -r "eval(" /path/to/wordpress/wp-content/plugins/

Priority 3: Access Review (High)

Review all administrator accounts for unauthorized additions
Force password reset for all admin users
Implement two-factor authentication (2FA)
Review user login history for anomalies
Check scheduled tasks (cron jobs) for malicious entries

Cleanup Procedures

If your site is compromised, follow these steps:

Step 1: Isolate the Site

Take site offline or put in maintenance mode
Block suspicious IP addresses at firewall level
Disable all AJAX functionality temporarily

Step 2: Remove Malicious Files

Delete all files listed in IOC section
Search for eval(), base64_decode(), and system() functions
Remove unauthorized .htaccess modifications
Delete any txt files in upload directories

Step 3: Database Cleanup

Remove unauthorized admin accounts
Check wp_options table for injected malicious code
Review wp_posts for SEO spam and malicious links
Verify wp_users table integrity

Step 4: Restore Integrity

Reinstall WordPress core files
Update all themes and plugins
Restore from clean backup if available
Change all passwords and API keys

Step 5: Implement Monitoring

Enable WordPress security logging
Set up file integrity monitoring
Configure alerts for admin account creation
Monitor for IOC patterns

Prevention Best Practices

Security Measure	Implementation	Priority
Regular Updates	Auto-update plugins, themes, core	Critical
Web Application Firewall	Deploy Wordfence, Sucuri, or Cloudflare	Critical
File Integrity Monitoring	Use AIDE, Tripwire, or similar	High
Security Hardening	Disable file editing, limit upload types	High
Access Control	Implement least privilege principle	High
Two-Factor Authentication	Require 2FA for all admin accounts	High
Security Auditing	Regular vulnerability scans	Medium
Backup Strategy	Daily automated backups with offsite storage	Critical
Log Monitoring	Centralized logging with SIEM integration	Medium
Incident Response Plan	Documented procedures for breach response	Medium

Security Recommendations

WordPress Hardening Checklist

Configuration Security:

Disable XML-RPC if not needed
Limit login attempts (max 3-5 failed attempts)
Change default database prefix from wp_
Disable directory browsing
Remove WordPress version information
Disable file editing in wp-config.php: define('DISALLOW_FILE_EDIT', true);

Plugin Management:

Audit installed plugins quarterly
Remove unused or abandoned plugins
Only install plugins from official WordPress repository
Check plugin last update date before installation
Review plugin permissions and capabilities

Server-Level Protection:

Keep PHP version updated (8.0+)
Implement proper file permissions (644 for files, 755 for directories)
Disable dangerous PHP functions (exec, shell_exec, system)
Use ModSecurity rules for Apache/Nginx
Enable server-level malware scanning

Detection and Monitoring

Key Metrics to Monitor:

Metric	Normal Baseline	Suspicious Activity
Admin-ajax.php Requests	<100/hour	>500/hour
Failed Login Attempts	<10/day	>50/day
New Admin Accounts	Known schedule	Unscheduled creation
File Modifications	Update schedule	Random modifications
Outbound Connections	Known services	Unknown domains
CPU/Memory Usage	<70% average	Sustained >90%

Compliance Considerations

Organizations subject to regulatory frameworks should consider:

GDPR Implications:

Notify data protection authority within 72 hours if personal data compromised
Document incident response actions
Assess data breach impact

PCI DSS Requirements:

Quarterly vulnerability scans
Annual penetration testing
Maintain secure configuration standards
Implement change control procedures

Official References

CVE Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6389
WordPress Security: https://wordpress.org/documentation/article/hardening-wordpress/
OWASP WordPress Security: https://owasp.org/www-project-wordpress-security/

Conclusion

The CVE-2025-6389 vulnerability in Sneeit Framework represents a critical threat to WordPress security, with active exploitation targeting thousands of installations worldwide. The unauthenticated nature of this RCE vulnerability, combined with widespread automated attacks, makes immediate patching essential for all affected sites.

Website administrators must treat this as a high-priority security incident requiring immediate action. The combination of update deployment, security auditing, and implementation of defense-in-depth measures provides the best protection against current and future exploitation attempts.

Organizations using the Sneeit Framework should implement comprehensive security monitoring and maintain robust backup strategies to ensure rapid recovery in case of compromise. Regular security assessments and proactive plugin management remain critical components of WordPress security posture.

Key Takeaways:

Update to Sneeit Framework 8.4 immediately
Audit your WordPress installation for compromise indicators
Implement WAF protection and file integrity monitoring
Establish regular security maintenance schedules
Maintain offline backups for rapid recovery

Stay vigilant and prioritize security updates to protect your WordPress infrastructure from evolving threats.