CVE-2025-7441
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Analysis
The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server.
Technical Context
The StoryChief plugin registers a webhook REST API endpoint at /wp-json/storychief/webhook that processes content updates from the StoryChief platform. This endpoint accepts file attachments without properly validating file types or authenticating the request source. An attacker can send a crafted webhook payload containing a PHP file that is saved to the WordPress uploads directory.
Affected Products
['StoryChief for WordPress <= 1.0.42']
Remediation
Update StoryChief plugin to version 1.0.43 or later. Implement webhook signature verification. Restrict webhook endpoint to StoryChief IP ranges. Scan the uploads directory for PHP files.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today