Critical Security Breach in Sneeit Framework Plugin Exploited
An alarming security vulnerability has been identified within the Sneeit Framework plugin for WordPress, presently under active exploitation, according to recent findings from Wordfence.
The vulnerability in question pertains to remote code execution, classified as CVE-2025-6389 (CVSS score: 9.8). This flaw impacts all iterations of the plugin up to and including version 8.3, but has since been rectified in version 8.4, rolled out on August 5, 2025. Notably, the plugin boasts over 1,700 active installations.
“This vulnerability arises because the [sneeit_articles_pagination_callback()] function processes user input and subsequently transmits it through call_user_func(),” conveyed Wordfence in a statement.
“This situation enables unauthenticated attackers to execute server-side code, creating avenues for installing backdoors or establishing nefarious administrative accounts.”
In essence, this flaw can be exploited to invoke arbitrary PHP functions, such as wp_insert_user(), thereby permitting an attacker to implant an illicit administrative user.
Such a breach can facilitate the control of the website, injecting harmful code that reroutes visitors to dubious sites or deploying malware and spam.
Wordfence documents that actual exploitation began on November 24, 2025, coinciding with its public revelation. The security firm reported over 131,000 attempts aimed at this vulnerability, with a staggering 15,381 attempts detected within the last 24 hours alone.
Efforts to exploit this flaw primarily involve dispatching meticulously crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint, intending to create a malicious administrative account such as “arudikadis,” while simultaneously uploading a PHP file named “tijtewmg.php,” likely intended to establish backdoor access.
Identified Malicious IP Addresses
- 185.125.50[.]59
- 182.8.226[.]51
- 89.187.175[.]80
- 194.104.147[.]192
- 196.251.100[.]39
- 114.10.116[.]226
- 116.234.108[.]143
Wordfence has also observed nefarious PHP files equipped with capabilities to scan directories, read, modify, or delete files and their associated permissions. Noteworthy file names include “xL.php,” “Canonical.php,” “.a.php,” and “simple.php.”
According to Wordfence, the “xL.php” shell is downloaded via another PHP file dubbed “up_sf.php,” designed specifically to exploit the identified vulnerability. Additionally, it downloads an “.htaccess” file from an external server (“racoonlab[.]top”) onto the compromised host.
“This .htaccess file facilitates access to specific file extensions on Apache servers,” noted István Márton. “Such functionality proves advantageous when other .htaccess settings restrict access to scripts, particularly within upload directories.”
ICTBroadcast Vulnerability Exploited for DDoS Botnet Deployment
The recent disclosure arrives concurrently with observations by VulnCheck regarding distinct attacks that exploit a critical flaw in ICTBroadcast (CVE-2025-2611, CVSS score: 9.3). These attacks target honeypot systems, facilitating the download of a staging shell script that retrieves various architecture-specific versions of a binary known as “frost.”
Each downloaded version is executed, with subsequent deletion of both payloads and the stager itself to obscure evidence of the activities. The overarching objective of this operation is to orchestrate distributed denial-of-service (DDoS) attacks against selected targets.
“The ‘frost’ binary amalgamates DDoS capabilities with spreader logic, incorporating fourteen exploits across fifteen CVEs,” elaborated VulnCheck’s Jacob Baines in a statement.
“Crucially, it selectively disseminates exploits based on pre-identified indicators rather than launching indiscriminate attacks.”
For example, the binary exploits CVE-2025-1610 upon receiving an HTTP response containing “Set-Cookie: user=(null),” followed by a subsequent response indicating “Set-Cookie: user=admin.”
In the absence of these markers, the binary remains inactive. The attacks appear to emanate from the IP address 87.121.84[.]52.
Despite various DDoS botnets probing the identified vulnerabilities, current evidence suggests this latest attempt reflects a small, precision-targeted operation, given that fewer than 10,000 internet-exposed systems remain susceptible.
“This limitation curtails the potential scale of a botnet derived from these vulnerabilities, positioning this operator as a relatively modest player,” Baines stated.
“Notably, the exploit from ICTBroadcast that facilitated this sample is absent from the binary, suggesting the operator possesses additional capabilities not immediately apparent.”
Source link: Thehackernews.com.
