Subj : Sneeit WordPress RCE flaw allows hackers to add themselves as adm To : All From : TechnologyDaily Date : Mon Dec 08 2025 17:45:07 Sneeit WordPress RCE flaw allows hackers to add themselves as admin - here's how to stay safe Date: Mon, 08 Dec 2025 17:40:00 +0000 Description: A critical flaw in a WordPress add-on was recently patched, which allows crooks to add a rogue admin account to the site. FULL STORY ======================================================================WordFenc e disclosed critical RCE flaw (CVE-2025-6389) in Sneeit Framework plugin, affecting versions 8.3 Exploitation allows attackers to create admin accounts, install malicious plugins, and hijack WordPress sites Users urged to update to v8.4, monitor for rogue admins, suspicious PHP files, and malicious AJAX activity Security researchers from WordFence have warned about a critical-severity vulnerability in a popular plugin which allows threat actors to add themselves as admins on WordPress sites. In a security advisory published last week, WordFence said it found a remote code execution (RCE) bug in Sneeit Framework, a backend toolkit WordPress admins use to manage theme options, layouts, and custom features. The bug is tracked as CVE-2025-6389, was given a severity score 9.8/10 (critical) and affects all versions of the plugin prior to, and including, 8.3. Version 8.4, released in early August 2025, is not affected. According to The Hacker News, the plugin currently has more than 1,700 active installations. Catch the price drop- Get 30% OFF for Enterprise and Business plans The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. Its valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer. View Deal How to stay safe Explaining how the vulnerability works, WordFence said that malicious actors could call an arbitrary PHP function and have it create a new admin user, which the attackers can then use to take full control over the target website. After that, they can easily install malicious plugins, add data scrapers, redirect victims to other sites, introduce phishing landing pages, and more. Criminals reportedly started exploiting the flaw the moment it was publicly announced. The very first day, WordFence blocked more than 131,000 attacks, and even today, the number of daily attacks hovers at around 15,000. The best way to remain safe from this vulnerability is to update the plugin to version 8.4. Users are also advised to keep their WordPress platform, as well as all other plugins and themes, updated at all times. Furthermore, all elements that are not in use should be deleted from the platform. There are also indicators of compromise that webmasters should look out for - such as the appearance of a new, unauthorized WordPress admin account, created through the vulnerable AJAX callback. Another red flag is the presence of malicious PHP files uploaded to the server, including webshells named xL.php, Canonical.php, .a.php, simple.php, or up_sf.php, as well as suspicious .htaccess files designed to allow execution of dangerous file types. Compromised sites may also contain files like finderdata.txt or goodfinderdata.txt, generated by the attackers shell-finder tool. Log files showing successful AJAX requests from known attacking IPs such as 185.125.50.59, 182.8.226.51, 89.187.175.80, and others listed in the report are another strong indicator that the vulnerability was used to access the site. Via The Hacker News Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. ====================================================================== Link to news story: https://www.techradar.com/pro/security/sneeit-wordpress-rce-flaw-allows-hacker s-to-add-themselves-as-admin-heres-how-to-stay-safe --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .