A critical security flaw in the Sneeit Framework plugin for WordPress is being exploited in the wild, according to data from Wordfence.
The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to 8.3. Patched in version 8.4 released on August 5, 2025. This plugin has over 1,700 active installations.
“this is, [sneeit_articles_pagination_callback()] Wordfence said: “This function accepts user input and passes it to call_user_func(). This allows an unauthenticated attacker to execute code on the server, which can be used to insert a backdoor or create a new administrative user account.”
This means that this vulnerability can be used to inject a malicious administrator user by calling arbitrary PHP functions such as wp_insert_user(). Attackers can then weaponize it to take control of your site and inject malicious code that redirects site visitors to other dangerous sites, malware, or spam.
According to Wordfence, the actual exploitation began on November 24, 2025, the day of publication, and the company has blocked over 131,000 attempts targeting the flaw. Of these, 15,381 attack attempts were recorded in the last 24 hours alone.
Efforts include sending specially crafted HTTP requests to the ‘/wp-admin/admin-ajax.php’ endpoint to create malicious administrator user accounts such as ‘arudikadis’ and uploading a malicious PHP file ‘tijtewmg.php’ that could potentially allow backdoor access.
The attack originated from the following IP address –
185.125.50[.]59 182.8.226[.]51 89.187.175[.]80 194.104.147[.]192 196.251.100[.]39 114.10.116[.]226 116.234.108[.]143
The WordPress security firm said it has also observed a malicious PHP file with permissions to scan directories, read, edit, and delete files, and to extract ZIP files. These PHP files are named “xL.php”, “Canonical.php”, “.a.php”, and “simple.php”.
According to Wordfence, the “xL.php” shell is downloaded by another PHP file called “up_sf.php” that is designed to exploit this vulnerability. It also downloads the “.htaccess” file from an external server (“racoonlab”).[.]top”) to the compromised host.
“This .htaccess file ensures that access to files with a specific file extension is allowed on the Apache server,” says István Marton. “This is useful if access to the script is prohibited by other .htaccess files, such as in the upload directory.”
ICT broadcast flaws exploited to deliver ‘Frost’ DDoS botnet
This disclosure comes after VulnCheck announced that it has observed a new attack that exploits a critical flaw in ICTBroadcast (CVE-2025-2611, CVSS score: 9.3) targeting honeypot systems to download a shell script stager that downloads multiple architecture-specific versions of a binary called “frost.”
After each downloaded version is executed, the payload and the stager itself are removed to hide any trace of the activity. The ultimate goal of this activity is to perform a Distributed Denial of Service (DDoS) attack against the intended target.
“The ‘frost’ binary combines spreader logic and DDoS tools, including 14 exploits against 15 CVEs,” said VulnCheck’s Jacob Baines. “What matters is how it spreads. Operators are not carpet-bombing the internet with exploits. ‘Frost’ checks the target first and only proceeds with the exploit if it finds certain indicators it expects.”
For example, this binary exploits CVE-2025-1610 only after receiving an HTTP response containing “Set-Cookie: user=(null)” and then a subsequent response to a second request containing “Set-Cookie: user=admin”. If these markers are not present, the binary remains dormant and does nothing. The attack starts from IP address 87.121.84.[.]52.
Although the identified vulnerabilities have been exploited by a variety of DDoS botnets, evidence suggests that the latest attacks are small-scale, targeted attacks, given that fewer than 10,000 systems are affected by the vulnerabilities exposed on the internet.
“This limits the size of the botnets built on top of these CVEs, making this operator a relatively small player,” Baines said. “Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, indicating that the operator has additional capabilities not shown here.”
Source link
