Imagine waking up to find your WordPress site hijacked, your data compromised, and your visitors redirected to malicious sites. This isn't a hypothetical scenario—it's happening right now due to a critical vulnerability in the Sneeit Framework plugin. But here's where it gets even more alarming: while WordPress sites are under siege, a separate flaw in ICTBroadcast is fueling a sophisticated botnet attack. Let’s break it down in a way that’s easy to understand, even if you’re not a cybersecurity expert.
Sneeit Framework Vulnerability: A Ticking Time Bomb
The Sneeit Framework plugin for WordPress, with over 1,700 active installations, has been hit by a remote code execution (RCE) vulnerability, identified as CVE-2025-6389. This flaw, rated a staggering 9.8 on the CVSS scale, allows unauthenticated attackers to execute arbitrary PHP code on vulnerable servers. And this is the part most people miss: it’s not just about gaining access—attackers can inject backdoors, create rogue admin accounts, and even redirect site visitors to phishing or malware-laden sites.
The root cause? The [sneeit_articles_pagination_callback()] function mishandles user input, passing it through call_user_func() without proper sanitization. This oversight enables attackers to call functions like wp_insert_user() to create malicious admin accounts. Wordfence reports that exploitation began on November 24, 2025, the same day the vulnerability was disclosed. Since then, they’ve blocked over 131,000 attack attempts, with 15,381 occurring in the past 24 hours alone.
Attackers are sending crafted HTTP requests to the /wp-admin/admin-ajax.php endpoint, creating accounts like "arudikadis" and uploading malicious PHP files such as "tijtewmg.php" to establish backdoor access. The attacks originate from IPs like 185.125.50[.]59, 182.8.226[.]51, and 89.187.175[.]80. Controversially, some experts argue that the plugin’s developers should have addressed this flaw sooner, given its severity. What do you think?
ICTBroadcast Flaw: The Rise of the Frost Botnet
Meanwhile, a critical flaw in ICTBroadcast (CVE-2025-2611, CVSS score: 9.3) is being exploited to deliver the "Frost" DDoS botnet. VulnCheck observed attackers targeting honeypot systems to download a shell script that fetches architecture-specific versions of the "frost" binary. Once executed, the payloads and stager are deleted to erase traces of the attack.
But here’s the twist: Frost isn’t your average botnet. It combines DDoS tools with spreader logic, leveraging 14 exploits for 15 CVEs. However, it’s selective—it only activates when it detects specific indicators, such as HTTP responses containing "Set-Cookie: user=(null)" followed by "Set-Cookie: user=admin." This targeted approach suggests a smaller, more calculated operation, with fewer than 10,000 vulnerable systems exposed.
VulnCheck’s Jacob Baines notes that the ICTBroadcast exploit used to deliver Frost doesn’t appear in the binary, implying the attacker has additional, unseen capabilities. Is this a sign of a more sophisticated threat actor, or just a clever tactic to stay under the radar? Let us know your thoughts in the comments.
What Can You Do?
If you’re using the Sneeit Framework plugin, update to version 8.4 immediately. For ICTBroadcast users, ensure your systems are patched against CVE-2025-2611. Stay vigilant, monitor your systems for unusual activity, and consider using security tools like Wordfence to block malicious requests.
Found this breakdown helpful? Follow us on Google News, Twitter, and LinkedIn for more insights into the ever-evolving world of cybersecurity. Stay safe out there!
