Hackers Actively Exploiting Worpress Plugin Vulnerability to Execute Remote Code

A critical unauthenticated RCE (CVE-2025-6389, CVSS 9.8) in the Sneeit Framework (versions 8.3 and earlier) is being actively exploited via specially crafted AJAX POST requests to wp-admin/admin-ajax.php, enabling attackers to execute PHP, create admin accounts, upload webshells (examples: xL.php, upsf.php) from domains such as racoonlab.top, and install persistent backdoors; Wordfence reports 131,000+ blocked attempts and recommends immediate update to version 8.4 or later.