A critical security flaw in the Sneeit Framework plugin for WordPress now sees active exploitation in the wild, according to data from Wordfence. Attackers aggressively target the remote code execution vulnerability CVE-2025-6389 (CVSS score: 9.8), which affects all plugin versions prior to and including 8.3. Meanwhile, the developer released a fix in version 8.4 on August 5, 2025. The plugin currently runs on more than 1,700 active installations.
How the Vulnerability Works
“This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func(),” Wordfence said. “This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts.”
In other words, attackers can call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator account. They can then seize control of the site and inject malicious code that redirects visitors to sketchy destinations, malware, or spam.
Wordfence reported that attackers began exploiting the flaw on November 24, 2025—the same day it became publicly known. Since then, the company has blocked over 131,000 attempts targeting the vulnerability. Additionally, the platform recorded 15,381 attack attempts in the past 24 hours alone.
Techniques Attackers Use
Attackers often send specially crafted HTTP requests to the /wp-admin/admin-ajax.php endpoint to create malicious users such as “arudikadis” and upload harmful PHP files like “tijtewmg.php”, which likely grant backdoor access.
These attacks originate from the following IP addresses:
- 185.125.50[.]59
- 182.8.226[.]51
- 89.187.175[.]80
- 194.104.147[.]192
- 196.251.100[.]39
- 114.10.116[.]226
- 116.234.108[.]143
Moreover, Wordfence observed several malicious PHP files with capabilities to scan directories, read and modify files, delete data, alter permissions, and extract ZIP files. These files include “xL.php,” “Canonical.php,” “.a.php,” and “simple.php.”
Additional Malicious Components
According to Wordfence, the “xL.php” shell downloads from another PHP file called “up_sf.php”, which specifically exploits the vulnerability. This component also retrieves an “.htaccess” file from an external server (“racoonlab[.]top”) and places it on the compromised host.
“This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers,” István Márton said. “This is useful in cases where other .htaccess files prohibit access to scripts, for example, in upload directories.”
Related Attacks on ICTBroadcast
Meanwhile, VulnCheck reported new attacks that exploit a critical ICTBroadcast flaw (CVE-2025-2611, CVSS score: 9.3). These attacks target honeypot systems to download a shell script stager, which then retrieves multiple architecture-specific versions of a binary called “frost.”
Each version executes immediately and then deletes both the payloads and the stager to conceal evidence of the intrusion. Ultimately, the attackers aim to launch distributed denial-of-service (DDoS) attacks against selected targets.
“The ‘frost’ binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs,” Jacob Baines of VulnCheck said. “The important part is how it spreads. The operator is not carpet bombing the internet with exploits. ‘Frost’ checks the target first and only proceeds with exploitation when it sees the specific indicators it expects.”
For example, the binary only exploits CVE-2025-1610 after receiving an HTTP response containing “Set-Cookie: user=(null)” followed by another response with “Set-Cookie: user=admin.” If these indicators do not appear, the binary remains dormant. The attacks come from the IP address 87.121.84[.]52.
Although various DDoS botnets have exploited these vulnerabilities, evidence suggests that this latest wave represents a smaller, more targeted campaign. Fewer than 10,000 internet-exposed systems remain vulnerable.
“This limits how large a botnet built on these CVEs can get, which makes this operator a relatively small player,” Baines said. “Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, which indicates the operator has additional capabilities not visible here.”
Source: TheHackerNews
Read more at Impreza News
