The Sneeit Framework WordPress plugin contains a critical remote code execution vulnerability identified as CVE-2025-6389 with a CVSS score of 9.8. The vulnerability arises from the function sneeit_articles_pagination_callback() improperly handling user input passed to PHP's call_user_func(), allowing unauthenticated attackers to execute arbitrary PHP functions. Attackers exploit this to create new administrative users (e.g., 'arudikadis') and upload malicious PHP backdoor files (e.g., 'tijtewmg.php'), enabling persistent control over compromised WordPress sites. The vulnerability affects all versions up to 8.3, with a patch issued in version 8.4 on August 5, 2025. Wordfence data shows active exploitation since November 24, 2025, with over 131,000 blocked attempts and thousands daily, originating from multiple IP addresses globally. Malicious PHP shells deployed can scan directories, manipulate files, and extract archives, facilitating further compromise and lateral movement. Attackers also deploy .htaccess files to ensure script execution on Apache servers, bypassing typical upload restrictions. Concurrently, a critical ICTBroadcast vulnerability (CVE-2025-2611, CVSS 9.3) is exploited to deliver the Frost botnet, which combines DDoS capabilities with multi-exploit spreading logic. Frost selectively targets vulnerable systems by checking specific HTTP response markers before exploitation, indicating a targeted campaign. The botnet uses multiple CVE exploits and deletes payloads post-execution to evade detection. These combined threats highlight active exploitation of critical vulnerabilities in widely used web infrastructure components, emphasizing the need for immediate patching and monitoring.

European organizations using the Sneeit Framework WordPress plugin face severe risks including full site takeover, data breaches, defacement, and use of compromised sites as malware distribution platforms or spam sources. The ability to create admin users and upload backdoors threatens confidentiality, integrity, and availability of web assets. This can lead to reputational damage, regulatory penalties under GDPR, and operational disruptions. The Frost botnet's DDoS attacks, fueled by ICTBroadcast exploitation, threaten service availability, potentially disrupting critical online services, e-commerce, and communications infrastructure. Given WordPress's widespread use in Europe for business and government websites, and ICTBroadcast's role in telephony and communication systems, these threats could impact sectors such as public administration, finance, healthcare, and media. The targeted nature of Frost’s attacks suggests strategic adversaries focusing on high-value targets, increasing the risk to organizations with exposed ICTBroadcast installations. Overall, these vulnerabilities could facilitate espionage, sabotage, and large-scale cybercrime campaigns within Europe.

European organizations should immediately upgrade the Sneeit Framework WordPress plugin to version 8.4 or later to remediate CVE-2025-6389. Until patched, implement Web Application Firewall (WAF) rules to block suspicious requests targeting admin-ajax.php, especially those attempting to invoke call_user_func() or create admin users. Conduct thorough audits for unauthorized admin accounts and backdoor PHP files such as 'tijtewmg.php', 'xL.php', and others mentioned, removing any found. Harden Apache configurations to restrict execution of uploaded scripts and monitor .htaccess files for unauthorized changes. For ICTBroadcast, apply the latest security patches addressing CVE-2025-2611 and disable any unnecessary remote management interfaces. Deploy network-level DDoS mitigation solutions and monitor for unusual outbound connections indicative of Frost botnet activity. Employ threat intelligence feeds to block known malicious IP addresses involved in these attacks. Regularly scan web infrastructure for indicators of compromise and anomalous behavior. Finally, implement strict access controls, multi-factor authentication for WordPress admin accounts, and continuous monitoring to detect and respond to exploitation attempts promptly.