CVE-2025-7441

Critical

Published: 16 August 2025

Published

16 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.7894 99.1th percentile

Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7441 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates insufficient filetype validation in the webhook endpoint by requiring comprehensive input validation to reject arbitrary and dangerous file uploads.

SI-9 Information Input Restrictions good match

prevent

Restricts the types of files that can be uploaded via the unauthenticated REST-API endpoint to prevent insertion of malicious code leading to RCE.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without authentication, preventing unauthenticated attackers from exploiting the webhook endpoint for arbitrary file uploads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary unauthenticated file upload in public-facing WordPress REST endpoint directly enables exploitation of the web app (T1190) and subsequent deployment of a web shell for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated…

attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Deeper analysisAI

CVE-2025-7441 affects the StoryChief plugin for WordPress in all versions up to and including 1.0.42. The vulnerability enables arbitrary file uploads due to insufficient filetype validation in the /wp-json/storychief/webhook REST-API endpoint, as classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2025-08-16, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Unauthenticated attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N) and without impact to the scope (S:U). Exploitation allows uploading arbitrary files to the affected site's server, which may enable remote code execution and result in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H).

Advisories and patch details are referenced in the Wordfence threat intelligence report, the vulnerable code in tools.php at line 75, and changeset 3344874 in the plugin's Trac repository, which addresses the issue.