A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.
The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.
“This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func(),” Wordfence said. “This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts.”
In other words, the vulnerability can be leveraged to call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator user, which an attacker can then weaponize to seize control of the site and inject malicious code that can redirect site visitors to other sketchy sites, malware, or spam.
Wordfence said in-the-wild exploitation commenced on November 24, 2025, the same day it was publicly disclosed, with the company blocking over 131,000 attempts targeting the flaw. Out of these, 15,381 attack attempts were recorded over the past 24 hours alone.
Some of the efforts include sending specially crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin user account like “arudikadis” and upload a malicious PHP file “tijtewmg.php” that likely grants backdoor access.
The attacks have originated from the following IP addresses –
- 185.125.50[.]59
- 182.8.226[.]51
- 89.187.175[.]80
- 194.104.147[.]192
- 196.251.100[.]39
- 114.10.116[.]226
- 116.234.108[.]143
The WordPress security company said it also observed malicious PHP files that come with capabilities to scan directories, read, edit, or delete files and their permissions, and allow for the extraction of ZIP files. These PHP files go by the names “xL.php,” “Canonical.php,” “.a.php,” and “simple.php.”
The “xL.php” shell, per Wordfence, is downloaded by another PHP file called “up_sf.php” that’s designed to exploit the vulnerability. It also downloads an “.htaccess” file from an external server (“racoonlab[.]top”) onto the compromised host.
“This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers,” István Márton said. “This is useful in cases where other .htaccess files prohibit access to scripts, for example, in upload directories.”
ICTBroadcast Flaw Exploited to Deliver “Frost” DDoS Botnet
The disclosure comes as VulnCheck said it observed fresh attacks exploiting a critical ICTBroadcast flaw (CVE-2025-2611, CVSS score: 9.3) targeting its honeypot systems to download a shell script stager that downloads multiple architecture-specific versions of a binary called “frost.”
Each of the downloaded versions is executed, followed by the deletion of the payloads…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
