A critical security flaw within the WordPress Sneeit Framework plugin, identified as CVE-2025-6389, is currently being actively exploited in the wild. This remote code execution vulnerability poses a significant threat, with a CVSS score of 9.8, affecting all versions of the plugin up to and including 8.3. A patch was released in version 8.4 on August 5, 2025, though the plugin still has over 1,700 active installations.
The vulnerability arises from the `[sneeit_articles_pagination_callback()]` function, which allows user input to be processed by `call_user_func()`. This design flaw enables unauthenticated attackers to execute arbitrary code on the server. Security researchers at Wordfence reported that exploitation began on November 24, 2025, the same day the vulnerability was publicly disclosed. The company has since blocked over 131,000 attempts targeting this flaw, with a significant surge of 15,381 attempts recorded within the last 24 hours alone.
Sneeit Framework Vulnerability: Real-World Exploitation and Impact
The active exploitation of the Sneeit Framework vulnerability highlights the immediate risks faced by WordPress users. Attackers are leveraging this flaw to inject backdoors, create new administrative user accounts, and ultimately seize control of websites.
According to telemetry from Wordfence, attackers are crafting specific HTTP requests directed at the `/wp-admin/admin-ajax.php` endpoint. These requests aim to establish malicious administrator accounts, such as “arudikadis,” and upload backdoors, like the PHP file named “tijtewmg.php.” The objective is to gain persistent access and facilitate further malicious activities, including injecting harmful code that could redirect visitors to phishing sites, distribute malware, or propagate spam.
A range of malicious PHP files, including “xL.php,” “Canonical.php,” “.a.php,” and “simple.php,” have been observed in the wild. These files are equipped with capabilities to scan directories, modify or delete files and their permissions, and extract ZIP archives. The “xL.php” shell, in particular, is reportedly downloaded by another PHP file, “up_sf.php,” designed to exploit the vulnerability. Additionally, an `.htaccess` file is downloaded from an external server (`racoonlab[.]top`), which can grant access to specific file extensions on Apache servers, potentially bypassing restrictions in other `.htaccess` files and aiding in the compromise of upload directories.
Current attack origins have been tracked to several IP addresses, including:
- 185.125.50[.]59
- 182.8.226[.]51
- 89.187.175[.]80
- 194.104.147[.]192
- 196.251.100[.]39
- 114.10.116[.]226
- 116.234.108[.]143
ICTBroadcast Flaw Leads to Frost DDoS Botnet Deployment
In parallel, security researchers are observing a separate critical vulnerability being exploited in the ICTBroadcast system. Identified as CVE-2025-2611 with a CVSS score of 9.3, this flaw is being used to deploy the “Frost” distributed denial-of-service (DDoS) botnet.
VulnCheck reported that attackers are targeting its honeypot systems via the ICTBroadcast flaw. The initial exploit delivers a shell script stager that subsequently downloads multiple architecture-specific versions of a binary called “frost.” These downloaded versions are then executed, with the payloads and stager itself being deleted afterward to obscure the attacker’s tracks.
The “frost” binary is designed not only for DDoS attacks but also includes spreader logic that leverages fourteen exploits for fifteen different Common Vulnerabilities and Exposures (CVEs). According to VulnCheck’s Jacob Baines, the botnet’s spread is not indiscriminate. Instead, “Frost” actively checks target systems for specific indicators before initiating an exploit. For example, it will only exploit CVE-2025-1610 after receiving a particular HTTP response indicating a vulnerable configuration.
The attacks associated with the Frost botnet originate from IP address 87.121.84[.]52. While vulnerabilities like these have previously been utilized by various DDoS botnets, current evidence suggests these are part of a smaller, more targeted operation. With fewer than 10,000 internet-exposed systems susceptible to these specific exploits, the potential size of a botnet built upon them is limited, marking the operator as a relatively minor player. Notably, the ICTBroadcast exploit used to facilitate this deployment is not found within the “frost” binary itself, suggesting the operator possesses additional, undisclosed capabilities.
The ongoing exploitation of these vulnerabilities underscores the persistent threat landscape facing web applications. Users of the Sneeit Framework plugin are strongly advised to update to version 8.4 or later immediately. Similarly, administrators of ICTBroadcast systems should ensure their installations are secured against CVE-2025-2611. The rapid development and deployment of such exploits highlight the need for continuous vigilance and prompt patch management within the cybersecurity community.