- A remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited since November 24, 2025.
- The flaw allows unauthenticated attackers to execute arbitrary PHP functions, potentially creating admin users and backdoors on affected sites.
- Over 131,000 attack attempts have been blocked, including more than 15,000 in the last 24 hours, targeting sites with Sneeit Framework versions up to 8.3.
- A critical ICTBroadcast flaw (CVE-2025-2611) is also being exploited to distribute a DDoS botnet called “frost,” designed to launch targeted denial-of-service attacks.
- The “frost” botnet uses fourteen exploits and activates only when specific HTTP response indicators are found, limiting its spread.
A severe security vulnerability in the Sneeit Framework plugin for WordPress is under active attack, according to data reported by Wordfence. The remote code execution flaw identified as CVE-2025-6389, with a CVSS severity score of 9.8, affects all versions through 8.3 and was patched in version 8.4 released on August 5, 2025. The plugin currently has over 1,700 active installs.
The vulnerability stems from the [sneeit_articles_pagination_callback()] function, which improperly processes user input through the PHP function call_user_func(), allowing unauthorized attackers to execute code remotely. This can be leveraged to create malicious administrator accounts or install backdoors, enabling full site takeover. Wordfence noted, “This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts.”
Since public disclosure on November 24, 2025, more than 131,000 attacks have been blocked, including over 15,000 in just the last 24 hours. Attackers have sent crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create admin users such as “arudikadis” and upload malicious PHP files like “tijtewmg.php” for backdoor access. The assaults originated from multiple IP addresses including 185.125.50.59, 182.8.226.51, and 89.187.175.80 among others.
Additionally, malicious PHP files found on compromised hosts have varied capabilities such as scanning, file manipulation, and extracting ZIP archives. Files named “xL.php,” “Canonical.php,” “.a.php,” and “simple.php” were observed. The “xL.php” script is downloaded by a helper file exploiting the vulnerability and also retrieves an “.htaccess” file from “racoonlab[.]top” to permit script access on Apache servers, according to Wordfence researcher István Márton.
In a related event, VulnCheck reported exploitation of a critical ICTBroadcast flaw (CVE-2025-2611, CVSS: 9.3) to deliver a distributed denial-of-service (DDoS) botnet named “frost.” The botnet downloads and executes architecture-specific binaries, then deletes traces to evade detection. VulnCheck’s Jacob Baines explained, “The ‘frost’ binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs.” It selectively initiates attacks based on HTTP response indicators like “Set-Cookie: user=(null)” and “Set-Cookie: user=admin” to avoid unnecessary activity.
These targeted attacks, launched from IP address 87.121.84.52, focus on fewer than 10,000 internet-facing vulnerable systems, suggesting a relatively small botnet scale. Evidence indicates the attacker possesses additional undisclosed capabilities beyond those visible in the observed exploits.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- ChatGPT Picks Solana and Avalanche to 10x in 2026 Crypto Surge
- Binance Secures Three Licenses to Operate in Abu Dhabi’s ADGM
- Iran’s MuddyWater Hacks with UDPGangster Malware via Phishing
- XRP Faces Heavy Short Selling, Price Drop Risks Looming
- Bitcoin $91K, Ether Rally Amid Fed Rate Cut Hopes and Caution
