A crucial security flaw within the Sneeit Framework plugin for WordPress is being actively exploited within the wild, per information from Wordfence.
The distant code execution vulnerability in query is CVE-2025-6389 (CVSS rating: 9.8), which impacts all variations of the plugin previous to and together with 8.3. It has been patched in model 8.4, launched on August 5, 2025. The plugin has greater than 1,700 energetic installations.
“That is as a result of [sneeit_articles_pagination_callback()] operate accepting person enter after which passing that by call_user_func(),” Wordfence stated. “This makes it potential for unauthenticated attackers to execute code on the server, which might be leveraged to inject backdoors or, for instance, create new administrative person accounts.”
In different phrases, the vulnerability might be leveraged to name an arbitrary PHP operate, similar to wp_insert_user(), to insert a malicious administrator person, which an attacker can then weaponize to grab management of the positioning and inject malicious code that may redirect web site guests to different sketchy websites, malware, or spam.
Wordfence stated in-the-wild exploitation commenced on November 24, 2025, the identical day it was publicly disclosed, with the corporate blocking over 131,000 makes an attempt focusing on the flaw. Out of those, 15,381 assault makes an attempt had been recorded over the previous 24 hours alone.
A few of the efforts embrace sending specifically crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin person account like “arudikadis” and add a malicious PHP file “tijtewmg.php” that doubtless grants backdoor entry.
The assaults have originated from the next IP addresses –
- 185.125.50[.]59
- 182.8.226[.]51
- 89.187.175[.]80
- 194.104.147[.]192
- 196.251.100[.]39
- 114.10.116[.]226
- 116.234.108[.]143
The WordPress security firm stated it additionally noticed malicious PHP recordsdata that include capabilities to scan directories, learn, edit, or delete recordsdata and their permissions, and permit for the extraction of ZIP recordsdata. These PHP recordsdata go by the names “xL.php,” “Canonical.php,” “.a.php,” and “easy.php.”
The “xL.php” shell, per Wordfence, is downloaded by one other PHP file known as “up_sf.php” that is designed to use the vulnerability. It additionally downloads an “.htaccess” file from an exterior server (“racoonlab[.]high”) onto the compromised host.
“This .htaccess file ensures that entry to recordsdata with sure file extensions is granted on Apache servers,” István Márton stated. “That is helpful in circumstances the place different .htaccess recordsdata prohibit entry to scripts, for instance, in add directories.”
ICTBroadcast Flaw Exploited to Ship “Frost” DDoS Botnet
The disclosure comes as VulnCheck stated it noticed recent assaults exploiting a crucial ICTBroadcast flaw (CVE-2025-2611, CVSS rating: 9.3) focusing on its honeypot methods to obtain a shell script stager that downloads a number of architecture-specific variations of a binary known as “frost.”
Every of the downloaded variations is executed, adopted by the deletion of the payloads and the stager itself to cowl up traces of the exercise. The tip purpose of the exercise is to hold out distributed denial-of-service (DDoS) assaults towards targets of curiosity.
“The ‘frost’ binary combines DDoS tooling with spreader logic that features fourteen exploits for fifteen CVEs,” VulnCheck’s Jacob Baines stated. “The essential half is the way it spreads. The operator just isn’t carpet bombing the web with exploits. ‘Frost’ checks the goal first and solely proceeds with exploitation when it sees the particular indicators it expects.”
As an example, the binary exploits CVE-2025-1610 solely after receiving an HTTP response that comprises “Set-Cookie: person=(null)” after which a follow-on response to a second request that comprises “Set-Cookie: person=admin.” If these markers aren’t current, the binary stays dormant and does nothing. The assaults are launched from the IP deal with 87.121.84[.]52.
Whereas the recognized vulnerabilities have been exploited by numerous DDoS botnets, proof factors to the most recent assaults being a small, focused operation, on condition that there are fewer than 10,000 internet-exposed methods which can be inclined to them.
“This limits how giant a botnet constructed on these CVEs can get, which makes this operator a comparatively small participant,” Baines stated. “Notably, the ICTBroadcast exploit that delivered this pattern doesn’t seem within the binary, which signifies the operator has extra capabilities not seen right here.”
