Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical remote code execution (RCE) vulnerability in the Sneeit WordPress plugin (CVE-2025-6389) has been actively exploited since November 24, 2025, with over 131,000 attack attempts blocked by Wordfence. Attackers are leveraging the flaw to inject backdoors and administrative accounts into compromised sites.

Why This Matters

The vulnerability stems from improper handling of user input in the sneeit_articles_pagination_callback() function, allowing unauthenticated attackers to execute arbitrary PHP code. While patches exist (version 8.4), the plugin’s 1,700+ active installations remain at risk. Unpatched systems face full server compromise, enabling DDoS botnet recruitment via the Frost malware, which exploits 15 CVEs with conditional logic to avoid detection.

Key Insights

• “8-hour Wordfence outage, 2025”: 131,000+ attacks blocked in 24 hours post-disclosure (Wordfence, 2025-12-08)
• “Conditional exploit logic”: Frost botnet uses HTTP headers to trigger CVE-2025-1610 only when specific cookies are present (VulnCheck, 2025)
• “Targeted botnet growth”: <10,000 exposed systems vulnerable to Frost, limiting botnet scale (VulnCheck, 2025)

Practical Applications

• Use Case: WordPress sites with outdated plugins are being weaponized to host Frost botnet nodes.
• Pitfall: Assuming patched systems are safe; attackers target unpatched instances via automated scans.

References:

• https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
• https://www.wordfence.com/blog/2025/12/cve-2025-6389-sneeit-plugin-rce/
• https://vulncheck.com/blog/2025/12/frost-botnet-cve-2025-2611-analysis/