{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6389", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-20T02:01:57.382Z", "datePublished": "2025-11-25T02:26:49.836Z", "dateUpdated": "2026-04-08T17:17:17.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:17.744Z"}, "affected": [{"vendor": "Sneeit", "product": "Sneeit Framework", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts."}], "title": "Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve"}, {"url": "https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-11-24T14:03:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:38:26.219240Z", "id": "CVE-2025-6389", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:39:24.911Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6389", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-25T14:38:26.219240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:39:18.690Z"}}], "cna": {"title": "Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Sneeit", "product": "Sneeit Framework", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T14:03:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve"}, {"url": "https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes"}], "descriptions": [{"lang": "en", "value": "The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:17.744Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6389", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:17.744Z", "dateReserved": "2025-06-20T02:01:57.382Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T02:26:49.836Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts."}], "id": "CVE-2025-6389", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T03:15:44.990", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:35:36.444322+00:00", "value": {"mitigation_remediation": ["Upgrade Sneeit Framework to the latest release above version 8.3, which removes the vulnerable callback. ", "If an upgrade cannot be performed immediately, block or remove unauthenticated access to the sneeit_articles_pagination_callback() function and sanitize any user\u2011supplied parameters so that call_user_func() is no longer invoked with untrusted data. ", "Implement strict input validation and avoid the use of call_user_func() for processing user input; follow best practices for safe code evaluation to prevent similar injection flaws in the future."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Sneeit Framework WordPress plugin the version 8.3 or earlier are affected. No specific patch version is listed beyond the statement that versions up to and including 8.3 contain the flaw. The vulnerability is present in the plugin, not the core WordPress software.", "description_and_impact": "The Sneeit Framework plugin for WordPress is vulnerable to remote code execution in all releases version 8.3 and older. The vulnerability lies in the sneeit_articles_pagination_callback() function, which accepts user input and forwards it directly to call_user_func(). This evaluation of arbitrary input allows an unauthenticated attacker to execute any PHP code on the host, enabling the installation of backdoors or the creation of new privileged user accounts. The flaw is a classic code injection weakness identified as CWE-94.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, and the EPSS score of 0.01421 (~1.4%) reflects that while exploitation is possible it is not highly probable but still notable. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by sending crafted input to the sneeit_articles_pagination_callback() endpoint without authentication, likely via an HTTP request containing a parameter that is evaluated by call_user_func(). The lack of authentication checks means any visitor could potentially exploit the flaw. Once exploited, the attacker can run arbitrary code, compromising server confidentiality, integrity, and availability."}}}}, "created": "2025-12-01T15:19:24.045615+00:00", "updated": "2026-04-20T21:45:18.962570+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}