A critical security vulnerability in the Sneeit Framework plugin for WordPress is currently being exploited in the wild. This remote code execution vulnerability, identified as CVE-2025-6389 with a CVSS score of 9.8, affects all versions of the plugin prior to and including version 8.3. A patch for this flaw was released in version 8.4 on August 5, 2025, yet the plugin remains popular with over 1,700 active installations.
According to Wordfence, the vulnerability occurs due to the sneeit_articles_pagination_callback() function accepting user input and passing it through call_user_func(). This creates the potential for unauthenticated attackers to execute arbitrary code on the server, which can be exploited to inject backdoors or establish new administrative accounts. Such exploitation allows an attacker to gain control over the site and redirect traffic to malicious sites.
The data indicates that exploitation attempts began on November 24, 2025, the same day the vulnerability was publicly disclosed. Wordfence reported blocking over 131,000 attempts to exploit this flaw, with more than 15,000 attempts recorded within just the past day. Attackers have been specifically targeting the "/wp-admin/admin-ajax.php" endpoint to create malicious admin user accounts and upload PHP files, such as "tijtewmg.php," which provides backdoor access.
Additional malicious PHP files have been discovered, including “xL.php” and “Canonical.php,” which have functionalities to scan directories and manipulate files. The "xL.php" shell is reportedly downloaded from another file called "up_sf.php," which is intended to exploit the identified vulnerability.
In a related threat, another fresh vulnerability within ICTBroadcast is being exploited to facilitate attacks by a botnet known as "Frost." This flaw, recognized as CVE-2025-2611 and rated with a CVSS score of 9.3, is being utilized by attackers to download a shell script designed to execute multiple types of binaries. As part of the DDoS attacks, the botnet selectively exploits targets based on certain indicators, making its operations appear more precise and less random than typical botnet activities.
Overall, these findings underline the critical ongoing cybersecurity challenges faced by WordPress users and the significant threat posed by emerging vulnerabilities and targeted attacks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.