Detections
Analytics

WordPress Plugin 'Sneeit Framework' < 8.4 Code Execution

critical Nessus Plugin ID 278112

Language:

Synopsis

The remote WordPress application has a plugin installed that is affected by a code execution vulnerability.

Description

The WordPress application running on the remote host has a version of the 'Sneeit Framework' plugin that is prior to 8.4 and, thus, is affected by a code execution vulnerability. The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.

Solution

Update the 'Sneeit Framework' plugin to version 8.4 or later through the administrative dashboard.

See Also

http://www.nessus.org/u?41d4aced

Plugin Details

Severity: Critical

ID: 278112

File Name: wordpress_plugin_sneeit_framework_8_4.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 12/10/2025

Updated: 2/25/2026

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-6389

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2025

Vulnerability Publication Date: 11/24/2025

Reference Information

CVE: CVE-2025-6389