Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.

The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.

“This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func(),” Wordfence said. “This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts.”

In other words, the vulnerability can be leveraged to call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator user, which an attacker can then weaponize to seize control of the site and inject malicious code that can redirect site visitors to other sketchy sites, malware, or spam.

Wordfence said in-the-wild exploitation commenced on November 24, 2025, the same day it was publicly disclosed, with the company blocking over 131,000 attempts targeting the flaw. Out of these, 15,381 attack attempts were recorded over the past 24 hours alone.

Some of the efforts include sending specially crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin user account like “arudikadis” and upload a malicious PHP file “tijtewmg.php” that likely grants backdoor access.

The attacks have originated from the following IP addresses -

• 185.125.50[.]59
• 182.8.226[.]51
• 89.187.175[.]80
• 194.104.147[.]192
• 196.251.100[.]39
• 114.10.116[.]226
• 116.234.108[.]143

The WordPress security company said it also observed malicious PHP files that come with capabilities to scan directories, read, edit, or delete files and their permissions, and allow for the extraction of ZIP files. These PHP files go by the names “xL.php,” “Canonical.php,” “.a.php,” and “simple.php.”

The “xL.php” shell, per Wordfence, is downloaded by another PHP file called “up_sf.php” that’s designed to exploit the vulnerability. It also downloads an “.htaccess” file from an external server (“racoonlab[.]top”) onto the compromised host.

“This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers,” István Márton said. “This is useful in cases where other .htaccess files prohibit access to scripts, for example, in upload directories.”

ICTBroadcast Flaw Exploited to Deliver “Frost” DDoS Botnet

The disclosure comes as VulnCheck said it observed fresh attacks exploiting a critical ICTBroadcast flaw (CVE-2025-2611, CVSS score: 9.3) targeting its honeypot systems to download a shell script stager that downloads multiple architecture-specific versions of a binary called “frost.”

Each of the downloaded versions is executed, followed by the deletion of the payloads and the stager itself to cover up traces of the activity. The end goal of the activity is to carry out distributed denial-of-service (DDoS) attacks against targets of interest.

“The ‘frost’ binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs,” VulnCheck’s Jacob Baines said. “The important part is how it spreads. The operator is not carpet bombing the internet with exploits. ‘Frost’ checks the target first and only proceeds with exploitation when it sees the specific indicators it expects.”

For instance, the binary exploits CVE-2025-1610 only after receiving an HTTP response that contains "Set-Cookie: user=(null)" and then a follow-on response to a second request that contains “Set-Cookie: user=admin.” If those markers are not present, the binary stays dormant and does nothing. The attacks are launched from the IP address 87.121.84[.]52.

While the identified vulnerabilities have been exploited by various DDoS botnets, evidence points to the latest attacks being a small, targeted operation, given that there are fewer than 10,000 internet-exposed systems that are susceptible to them.

“This limits how large a botnet built on these CVEs can get, which makes this operator a relatively small player,” Baines said. “Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, which indicates the operator has additional capabilities not visible here.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.