Description
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
Published: 2025-11-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Sneeit Framework plugin for WordPress is vulnerable to remote code execution in all releases version 8.3 and older. The vulnerability lies in the sneeit_articles_pagination_callback() function, which accepts user input and forwards it directly to call_user_func(). This evaluation of arbitrary input allows an unauthenticated attacker to execute any PHP code on the host, enabling the installation of backdoors or the creation of new privileged user accounts. The flaw is a classic code injection weakness identified as CWE-94.

Affected Systems

All installations of Sneeit Framework WordPress plugin the version 8.3 or earlier are affected. No specific patch version is listed beyond the statement that versions up to and including 8.3 contain the flaw. The vulnerability is present in the plugin, not the core WordPress software.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of 0.01421 (~1.4%) reflects that while exploitation is possible it is not highly probable but still notable. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by sending crafted input to the sneeit_articles_pagination_callback() endpoint without authentication, likely via an HTTP request containing a parameter that is evaluated by call_user_func(). The lack of authentication checks means any visitor could potentially exploit the flaw. Once exploited, the attacker can run arbitrary code, compromising server confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 20, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sneeit Framework to the latest release above version 8.3, which removes the vulnerable callback.
  • If an upgrade cannot be performed immediately, block or remove unauthenticated access to the sneeit_articles_pagination_callback() function and sanitize any user‑supplied parameters so that call_user_func() is no longer invoked with untrusted data.
  • Implement strict input validation and avoid the use of call_user_func() for processing user input; follow best practices for safe code evaluation to prevent similar injection flaws in the future.

Generated by OpenCVE AI on April 20, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
Title Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:17.744Z

Reserved: 2025-06-20T02:01:57.382Z

Link: CVE-2025-6389

cve-icon Vulnrichment

Updated: 2025-11-25T14:39:18.690Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T03:15:44.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses