CVE-2025-7441
Published: 16 August 2025
Summary
CVE-2025-7441 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to and including 1.0.42. The flaw exists in the /wp-json/storychief/webhook REST-API endpoint, which lacks sufficient filetype validation and is tracked as CWE-434. This permits unauthenticated attackers to upload arbitrary files to the server, with a CVSS 3.1 score of 9.8 reflecting network-accessible impact to confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit the endpoint to place malicious files on the affected site, which may then be executed to achieve remote code execution. No authentication or user interaction is required, and the vulnerability affects any site running the plugin prior to remediation.
Public references include Wordfence threat intelligence and WordPress plugin trac entries that document the vulnerable code at includes/tools.php and a subsequent changeset, indicating an official update was issued to address the unrestricted file upload issue. The EPSS score stands at 0.7894 with no material rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25062
Vulnerability details
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated…
more
attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary unauthenticated file upload in public-facing WordPress REST endpoint directly enables exploitation of the web app (T1190) and subsequent deployment of a web shell for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates insufficient filetype validation in the webhook endpoint by requiring comprehensive input validation to reject arbitrary and dangerous file uploads.
Restricts the types of files that can be uploaded via the unauthenticated REST-API endpoint to prevent insertion of malicious code leading to RCE.
Limits permitted actions without authentication, preventing unauthenticated attackers from exploiting the webhook endpoint for arbitrary file uploads.