A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, according to Wordfence. The remote code execution vulnerability, CVE-2025-6389 (CVSS 9.8), affects all versions up to and including 8.3 and was patched in version 8.4, released August 5, 2025. The plugin has over 1,700 active installations.
The core issue, as Wordfence explains, lies in the function sneeitarticlespaginationcallback() which accepts user input and passes it to calluserfunc(). This design flaw enables unauthenticated attackers to execute arbitrary PHP functions on the server, potentially allowing backdoor installation or creation of new administrator accounts. In practical terms, this means a malicious actor could run functions like wpinsert_user() to add an admin user and then inject code that redirects visitors, hosts malware, or spams content.
In-the-wild exploitation began on November 24, 2025—the same day the vulnerability was publicly disclosed. Wordfence blocked more than 131,000 attempts targeting the flaw, with 15,381 attempts recorded in the last 24 hours alone. Attackers have been sending specially crafted HTTP requests to /wp-admin/admin-ajax.php to forge malicious admin accounts (for example, the user “arudikadis”) and to upload a malicious PHP file (“tijtewmg.php”) that likely provides backdoor access.
Several malicious PHP files were observed, including xL.php, Canonical.php, .a.php, and simple.php. The xL.php shell is downloaded by another script, up_sf.php, which exploits the vulnerability and fetches an external .htaccess file from racoonlab.top to extend access permissions. This .htaccess file helps bypass restrictions on Apache servers, enabling continued access in directories where uploads or scripts might otherwise be blocked.
Separately, researchers reported fresh attacks leveraging an ICTBroadcast flaw (CVE-2025-2611, CVSS 9.3) to deploy a DDoS toolchain. The campaigns use a shell script stager to download multiple architecture-specific versions of a binary named frost, which then executes and self-deletes to erase traces. The frost binary combines DDoS capabilities with spreader logic that targets a set of CVEs—14 exploits across 15 CVEs—only proceeding when specific indicators are detected in the HTTP responses. Attacks originate from IP 87.121.84.52.
The frost campaigns appear to be targeted and not broad-scale, with fewer than 10,000 internet-exposed systems likely affected. This suggests the operator is relatively small, and the ICTBroadcast exploit observed does not appear in the binary itself, implying additional capabilities not visible in the observed sample.
If you manage a WordPress site using the Sneeit Framework plugin, ensure you upgrade to version 8.4 or later and audit for any signs of unauthorized admin accounts, backdoor PHP files, or unusual Apache directives. For broader protection, regularly review access to admin-ajax.php, monitor for unusual file uploads, and apply defense-in-depth measures such as robust authentication, least-privilege permissions, and web application firewall rules to mitigate similar zero-day-style abuses. Have you checked your sites for such indicators recently, and what steps would you take if you discovered a suspicious admin account or backdoor script?
