CVE-2025-6389

Critical

Published: 25 November 2025

Published

25 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0118 78.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This…

makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the RCE vulnerability in Sneeit Framework plugin versions up to 8.3 by requiring timely flaw identification, reporting, and patching per advisories.

SI-10 Information Input Validation good match

prevent

Enforces validation of unsanitized user input to the sneeit_articles_pagination_callback() function before passing to call_user_func(), preventing arbitrary PHP code execution.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Verifies software and information integrity to detect unauthorized changes like backdoors or admin accounts created via exploitation of the RCE vulnerability.

Security SummaryAI

CVE-2025-6389 is a critical remote code execution (RCE) vulnerability affecting the Sneeit Framework plugin for WordPress in all versions up to and including 8.3. The flaw resides in the sneeit_articles_pagination_callback() function, which accepts unsanitized user input and passes it directly to PHP's call_user_func(), enabling arbitrary code injection as classified under CWE-94. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-11-25.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. Successful exploitation allows execution of arbitrary PHP code on the affected server, which attackers can leverage to inject persistent backdoors or create new administrative user accounts, potentially leading to full server compromise.

Advisories detailing the vulnerability, including potential mitigations and patches, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve and the theme's release notes on ThemeForest at https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve
security@wordfence.com