Hacking Churches and Backdooring Emacs
This release packs some solid exploit module additions! Two new unauthenticated RCE modules are a major win: the StoryChief WordPress plugin exploit (CVE-2025-7441) targets a webhook validation flaw allowing arbitrary file uploads, while the ChurchCRM exploit (CVE-2025-62521) abuses the installation wizard to inject PHP code for persistent access. Both establish Meterpreter sessions. On the persistence front, there's a creative Emacs extension module that plants malicious Lisp code for shell callbacks whenever Emacs launches; a fun take on an unconventional attack surface. Along with Emacs, a new Windows persistence using the old, gold registry; this time the UserInit one, to get Administrator shells when any user logs in. To wrap-up, now you can spread automation nightmares with the new n8n auxiliary module, allowing you to extract sessions of other logged users (even admins).
New module content (5)
n8n arbitrary file read
Authors: dor attias and msutovsky-r7
Type: Auxiliary
Pull request: #20856 contributed by msutovsky-r7
Path: gather/ni8mare_cve_2026_21858
Description: This adds an exploit module for n8n. The vulnerability, known as Ni8mare, allows arbitrary file read and session extraction of other users allowing privilege escalation on the WebApp context.
Emacs Extension Persistence
Author: h00die
Type: Exploit
Pull request: #20919 contributed by h00die
Path: linux/persistence/emacs_extension
Description: This adds a persistence module compatible with emacs for Linux, the emacs extension will trigger a session creation as the compromised user.
ChurchCRM Unauthenticated RCE 6.8.0
Author: LucasCsmt
Type: Exploit
Pull request: #20947 contributed by LucasCsmt
Path: multi/http/churchcrm_install_unauth_rce
AttackerKB reference: CVE-2025-62521
Description: This PR adds a new exploit module for CVE-2025-62521, targeting an unauthenticated Remote Code Execution (RCE) vulnerability in ChurchCRM versions 6.8.0 and earlier.
WordPress StoryChief Plugin Unauthenticated RCE
Authors: Nayera and xpl0dec
Type: Exploit
Pull request: #20976 contributed by Nayeraneru
Path: multi/http/wp_plugin_story_chef_file_upload
AttackerKB reference: CVE-2025-7441
Description: Adds a new exploit module targeting CVE-2025-7441, an unauthenticated RCE in the WordPress plugin StoryChief versions <= 1.0.45.
Windows Registry Persistence via Userinit
Authors: h00die and joel
Type: Exploit
Pull request: #20844 contributed by 6a6f656c
Path: windows/persistence/registry_userinit
Description: This adds a persistence module for Windows. Using the UserInit registry key the target machine will create a session with Admin privileges every time any user logs in.
Enhancements and features (2)
- #20807 from webbsssss - Allow Acunetix vulnerabilities to be imported without complete web page data.
- #20969 from sjanusz-r7 - Updates Metasploit's logic when importing Acunetix XML files to now also include items that are less than High severity.
Bugs fixed (1)
- #20972 from adfoster-r7 - Fixes false positives on lg simple editor check methods.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
Metasploit Wrap-Up 02/20/2026
Source: Rapid7
Source Link: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-20-2026