A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited, according to data from Wordfence. The vulnerability, a remote code execution (RCE) flaw tracked as CVE-2025-6389 and carrying a critical CVSS score of 9.8, affects all versions of the plugin up to and including 8.3. The flaw has been patched in version 8.4, which was released on August 5, 2025. This plugin is currently used on more than 1,700 active WordPress installations.
The vulnerability stems from the sneeit_articles_pagination_callback() function accepting user input and passing it through call_user_func(), which allows unauthenticated attackers to execute code on the server. This capability can be leveraged to inject backdoors or create new administrative user accounts, effectively allowing the attacker to call an arbitrary PHP function. For example, an attacker can use this to call wp_insert_user() to create a malicious administrator account, which they can then use to take complete control of the site and inject malicious code that redirects visitors to sketchy sites, malware, or spam.
Wordfence observed that exploitation in the wild started on November 24, 2025, the same day the vulnerability was publicly disclosed. Since then, the company has blocked over 131,000 attack attempts targeting this flaw, with more than 15,000 attempts recorded in a recent 24-hour period. Some observed attack methods involve sending specially crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin user (like “arudikadis”) and upload a malicious PHP file (“tijtewmg.php”) to establish backdoor access. These attacks have originated from multiple IP addresses, including 185.125.50[.]59, 182.8.226[.]51, 89.187.175[.]80, 194.104.147[.]192, 196.251.100[.]39, 114.10.116[.]226, and 116.234.108[.]143.
Wordfence also noted the use of malicious PHP files—named “xL.php,” “Canonical.php,” “.a.php,” and “simple.php”—that function as shells to scan directories, read, edit, or delete files, modify permissions, and extract ZIP files. The “xL.php” shell is downloaded by another PHP file, “up_sf.php,” which is designed to exploit the vulnerability. It also downloads an .htaccess file from an external server (racoonlab[.]top) to the compromised host, which ensures that access to files with certain extensions is granted on Apache servers, circumventing potential restrictions in other .htaccess files, such as those in upload directories.
In related news, VulnCheck reported new attacks exploiting a critical ICTBroadcast flaw, CVE-2025-2611 (CVSS score: 9.3), on their honeypot systems. These attacks download a shell script that retrieves multiple architecture-specific versions of a binary named “frost,” which is a DDoS botnet. The Frost binary combines DDoS tooling with spreading logic that incorporates fourteen exploits for fifteen different CVEs. Notably, the operator behind this attack is not indiscriminately launching exploits; the “frost” binary first checks the target for specific indicators before proceeding with exploitation, making it a smaller, more targeted operation. For example, the binary only exploits CVE-2025-1610 after receiving specific cookie responses to initial HTTP requests. The attacks are currently being launched from the IP address 87.121.84[.]52.
Reference:
