Cyber Resilience

CVE-2025-7441

Critical

Published: 16 August 2025

Published
16 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7894 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7441 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to and including 1.0.42. The flaw exists in the /wp-json/storychief/webhook REST-API endpoint, which lacks sufficient filetype validation and is tracked as CWE-434. This permits unauthenticated attackers to upload arbitrary files to the server, with a CVSS 3.1 score of 9.8 reflecting network-accessible impact to confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit the endpoint to place malicious files on the affected site, which may then be executed to achieve remote code execution. No authentication or user interaction is required, and the vulnerability affects any site running the plugin prior to remediation.

Public references include Wordfence threat intelligence and WordPress plugin trac entries that document the vulnerable code at includes/tools.php and a subsequent changeset, indicating an official update was issued to address the unrestricted file upload issue. The EPSS score stands at 0.7894 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated…

more

attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary unauthenticated file upload in public-facing WordPress REST endpoint directly enables exploitation of the web app (T1190) and subsequent deployment of a web shell for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates insufficient filetype validation in the webhook endpoint by requiring comprehensive input validation to reject arbitrary and dangerous file uploads.

prevent

Restricts the types of files that can be uploaded via the unauthenticated REST-API endpoint to prevent insertion of malicious code leading to RCE.

prevent

Limits permitted actions without authentication, preventing unauthenticated attackers from exploiting the webhook endpoint for arbitrary file uploads.

References