Security researchers reported active exploitation of a critical remote code execution bug in the Sneeit Framework WordPress plugin, tracked as CVE-2025-6389 with a CVSS score of 9.8. The flaw affects versions up to and including 8.3 and was patched in version 8.4, released on August 5, 2025; the plugin has more than 1,700 active installations, Wordfence said.
The vulnerability stems from the sneeit_articles_pagination_callback() function accepting attacker-controlled input and passing it to call_user_func(), which can allow unauthenticated attackers to invoke arbitrary PHP functions on the server. An attacker can therefore call functions such as wp_insert_user() to create a privileged administrative account and then use that account to take control of the site and inject malicious code.
Wordfence reported that in-the-wild exploitation began on November 24, 2025, the same day the vulnerability was publicly disclosed, and that it blocked more than 131,000 attempts targeting the flaw, including 15,381 attack attempts observed over a single 24-hour period. Some attempts used specially crafted requests to /wp-admin/admin-ajax.php to create administrative accounts (examples include a user named “arudikadis”) and to upload web shells such as tijtewmg.php.
Observers said the intrusions also dropped a variety of PHP shells and utilities capable of scanning directories, reading, editing or deleting files, changing permissions, and extracting ZIP archives. Reported filenames include xL.php, Canonical.php, .a.php and simple.php, and attackers deployed an up_sf.php stager that downloads an xL.php shell and an .htaccess file from an external server; “This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers,” István Márton said. Wordfence listed multiple originating IP addresses tied to attempts against the flaw.
Separately, VulnCheck reported fresh attacks exploiting a critical ICTBroadcast flaw (CVE-2025-2611) that delivered a shell script stager to fetch multiple architecture-specific binaries of a DDoS tool named “frost.” VulnCheck’s analysis said the frost binary combines DDoS tooling with spreader logic covering 14 exploits for 15 CVEs and only proceeds with exploitation when it sees specific indicators in HTTP responses, and that at least some activity was observed originating from IP address 87.121.84.52.
Site operators are advised to apply available updates: upgrade the Sneeit Framework plugin to version 8.4 or later to remediate CVE-2025-6389 and review site logs for signs of unauthorized administrative users or uploaded shells.