Description
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-08-16
Score: 9.8 Critical
EPSS: 78.9% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StoryChief WordPress plugin allows unauthenticated users to upload files through the /wp-json/storychief/webhook REST‑API endpoint. This endpoint lacks adequate file‑type validation, creating a CWE‑434 arbitrary file upload flaw that enables an attacker to store arbitrary files on the website’s file system. Uploaded files such as PHP scripts can be executed by a subsequent HTTP request, giving the attacker the ability to run code on the server and fully compromise the site. Based on the description, it is inferred that uploading executable files such as PHP scripts could enable remote code execution.

Affected Systems

All installations of the StoryChief plugin for WordPress version 1.0.42 and earlier are affected. The vulnerability resides in the plugin’s REST‑API endpoint and applies to any WordPress site that has the plugin upgraded to these versions.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a Critical vulnerability, reflecting the severity of potential remote code execution. The EPSS score of 0.78942 is below the 1 % threshold, indicating a low probability that this flaw will be actively exploited in the wild. It is not listed in the CISA KEV catalog, but the lack of authentication and the ability to upload executable files place this at a very high risk. An attacker only needs network access to the target site to craft a malicious upload request.

Generated by OpenCVE AI on May 2, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the StoryChief plugin to a version newer than 1.0.42.
  • If an immediate upgrade is not possible, temporarily disable the /wp-json/storychief/webhook REST API endpoint (e.g., by blocking it in the web server or using a plugin that turns off unused endpoints).
  • Scan the site for any malicious files that may have been uploaded and remove them, ensuring file permissions are set so that no unintended scripts can be executed.

Generated by OpenCVE AI on May 2, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25062 The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 18 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Storychief
Storychief storychief
Wordpress
Wordpress wordpress
Vendors & Products Storychief
Storychief storychief
Wordpress
Wordpress wordpress

Mon, 18 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 03:45:00 +0000

Type Values Removed Values Added
Description The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title StoryChief <= 1.0.42 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Storychief Storychief
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:31.102Z

Reserved: 2025-07-10T19:00:10.698Z

Link: CVE-2025-7441

cve-icon Vulnrichment

Updated: 2025-08-18T13:36:23.112Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T04:16:04.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T16:15:26Z

Weaknesses