CVE-2025-6389

CriticalRCE

Published: 25 November 2025

Published

25 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0118 79.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6389 is a critical-severity Code Injection (CWE-94) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the RCE vulnerability in Sneeit Framework plugin versions up to 8.3 by requiring timely flaw identification, reporting, and patching per advisories.

SI-10 Information Input Validation good match

prevent

Enforces validation of unsanitized user input to the sneeit_articles_pagination_callback() function before passing to call_user_func(), preventing arbitrary PHP code execution.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Verifies software and information integrity to detect unauthorized changes like backdoors or admin accounts created via exploitation of the RCE vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This…

makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.

Deeper analysisAI

CVE-2025-6389 is a critical remote code execution (RCE) vulnerability affecting the Sneeit Framework plugin for WordPress in all versions up to and including 8.3. The flaw resides in the sneeit_articles_pagination_callback() function, which accepts unsanitized user input and passes it directly to PHP's call_user_func(), enabling arbitrary code injection as classified under CWE-94. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-11-25.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. Successful exploitation allows execution of arbitrary PHP code on the affected server, which attackers can leverage to inject persistent backdoors or create new administrative user accounts, potentially leading to full server compromise.

Advisories detailing the vulnerability, including potential mitigations and patches, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve and the theme's release notes on ThemeForest at https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes.