Beranda / computer security / internet security / news / security / security breach

Sneeit WordPress RCE Vulnerability: Hackers Can Add Themselves as Admin – Stay Protected

Posting Komentar

Critical RCE Vulnerability in Sneeit Framework Plugin

Security researchers from WordFence have identified a critical remote code execution (RCE) vulnerability in the Sneeit Framework plugin, which is widely used by WordPress administrators. This flaw, tracked as CVE-2025-6389, has a severity score of 9.8/10 and affects all versions of the plugin up to and including version 8.3. The vulnerability was fixed in version 8.4, which was released in early August 2025.

The Sneeit Framework is a backend toolkit that helps users manage theme options, layouts, and custom features. However, the newly discovered bug allows attackers to execute arbitrary PHP functions, enabling them to create new admin accounts on affected sites. Once an attacker gains admin access, they can install malicious plugins, add data scrapers, redirect users to other websites, or introduce phishing landing pages.

Exploitation and Impact

Since the vulnerability was made public, cybercriminals have been actively exploiting it. On the first day after the disclosure, WordFence blocked over 131,000 attacks, and even today, the number of daily attacks remains around 15,000. This indicates that the flaw is being used extensively in real-world scenarios.

The potential damage caused by this vulnerability is severe. Attackers can take full control of a website, leading to data breaches, loss of user trust, and even financial losses for businesses relying on their online presence.

How to Stay Safe

To protect against this threat, users are strongly advised to update the Sneeit Framework plugin to version 8.4 immediately. In addition to updating the plugin, it's crucial to keep the entire WordPress platform, along with all other plugins and themes, up to date. Any unused elements should be removed from the site to reduce the attack surface.

Webmasters should also be vigilant for signs of compromise. Some indicators include:

  • The appearance of a new, unauthorized admin account created through the vulnerable AJAX callback
  • The presence of suspicious PHP files uploaded to the server, such as webshells named xL.php, Canonical.php, .a.php, simple.php, or up_sf.php
  • Unusual .htaccess files designed to allow execution of dangerous file types
  • Files like finderdata.txt or goodfinderdata.txt, generated by an attacker’s shell-finder tool
  • Log files showing successful AJAX requests from known attacking IPs, such as 185.125.50.59, 182.8.226.51, and 89.187.175.80

Additional Security Measures

Beyond monitoring for these indicators, users should implement additional security measures to safeguard their WordPress sites. These include:

  • Using strong, unique passwords for all user accounts
  • Enabling two-factor authentication (2FA) for admin access
  • Regularly backing up the site and storing backups securely
  • Using a reputable security plugin to monitor for suspicious activity

By taking these steps, users can significantly reduce the risk of falling victim to this critical vulnerability.

Final Recommendations

In light of the ongoing exploitation of CVE-2025-6389, it is essential for all WordPress administrators to act quickly. Updating to the latest version of the Sneeit Framework plugin is the most effective way to mitigate the risk. Additionally, maintaining a proactive approach to website security will help prevent future threats.

Posting Komentar untuk "Sneeit WordPress RCE Vulnerability: Hackers Can Add Themselves as Admin – Stay Protected"

Posting Komentar