Sneeit Wordpress RCE Exploited In The Wild While Ictbroadcast Bug...

A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.

The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.

"This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func()," Wordfence said. "This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts."

In other words, the vulnerability can be leveraged to call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator user, which an attacker can then weaponize to seize control of the site and inject malicious code that can redirect site visitors to other sketchy sites, malware, or spam.

Wordfence said in-the-wild exploitation commenced on November 24, 2025, the same day it was publicly disclosed, with the company blocking over 131,000 attempts targeting the flaw. Out of these, 15,381 attack attempts were recorded over the past 24 hours alone.

Some of the efforts include sending specially crafted HTTP requests to the "/wp-admin/admin-ajax.php" endpoint to create a malicious admin user account like "arudikadis" and upload a malicious PHP file "tijtewmg.php" that likely grants backdoor access.

The attacks have originated from the following IP addresses -

The WordPress security company said it also observed malicious PHP files that come with capabilities to scan directories, read, edit, or delete files and their permissions, and allow for the extraction of ZIP files. These PHP files go by the names "xL.php," "Canonical.php," ".a.php," and "simple.php."

The "xL.php" shell, per Wordfence, is downloaded by another PHP file called "up_sf.php" that's designed to exploit the vulnerability. It also downloads an ".htaccess" file from an external server ("racoonlab[.]top") onto the compromised host.

"This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers," István Márton said. "This is useful in cases where other .htaccess files prohibit access to scripts, for example, in upload directories."

Source: The Hacker News