CVE-2018-25437

HIGH

WordPress CherryFramework Themes 3.1.4 Backup File Download

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25437. PoCs published by b1p0l4r.

AI-analyzed exploit summary This exploit demonstrates an information leakage vulnerability in WordPress CherryFramework themes (version 3.1.4 and below) by allowing unauthenticated users to download a ZIP archive containing the entire wp-content/themes directory via a direct URL request.

Description

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.

Exploits (1)

exploitdb WORKING POC

by b1p0l4r · textwebappsphp

https://www.exploit-db.com/exploits/45896

View Code ZIP pw:eip

This exploit demonstrates an information leakage vulnerability in WordPress CherryFramework themes (version 3.1.4 and below) by allowing unauthenticated users to download a ZIP archive containing the entire wp-content/themes directory via a direct URL request.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress CherryFramework Themes 3.1.4 and below

No auth needed

Prerequisites: Target site running vulnerable CherryFramework theme

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-45896

https://www.exploit-db.com/exploits/45896

Product product

Official Product Homepage

http://www.cherryframework.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress CherryFramework Themes 3.1.4 Backup File Download

https://www.vulncheck.com/advisories/wordpress-cherryframework-themes-backup-file-download

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 20.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

Cherryframework/Cherry Framework Themes 3.1.4

Published Jun 15, 2026

Tracked Since Jun 15, 2026