CVE-2018-25437

Vulnerability

The CherryFramework Themes version 3.1.4 for WordPress contains an information disclosure vulnerability in the download_backup.php script located at wp-content/themes/CherryFramework/admin/data_management/. This endpoint lacks authentication, allowing unauthenticated attackers to download a ZIP archive containing the entire contents of the wp-content/themes directory. The affected version is CherryFramework Themes up to and including 3.1.4 [1][2].

Exploitation

An attacker needs no authentication and only network access to the target WordPress site. By directly requesting the URL https://victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php, the server immediately serves a ZIP file without any user interaction or prior privileges. The exploit is publicly documented and does not require any special conditions [2].

Impact

Successful exploitation results in information disclosure of all files within wp-content/themes. This may include theme source code, configuration files, custom PHP templates, and potentially embedded credentials or other sensitive data. The attacker gains access to the entire theme directory contents, which could aid further attacks or expose proprietary information. No code execution or privilege escalation is directly achieved, but the leaked data may facilitate subsequent compromise [1][2].

Mitigation

No official patch has been released for this vulnerability as of the publication date. Administrators can mitigate the risk by restricting access to the admin/data_management/ directory via web server rules (e.g., .htaccess deny rules) or by removing the download_backup.php file if not required. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog [1][2].