CVE Catalog

CVE-2018-25437

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile - higher than 20% of all known CVEs

Summary

The CherryFramework theme for WordPress version 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.

Risk Assessment

This vulnerability poses a risk of sensitive data disclosure, which could lead to further attacks on the system. The exposure of theme directory contents may allow attackers to exploit known vulnerabilities in the themes.

Recommendation

It is recommended to update the CherryFramework theme to the latest version to eliminate this vulnerability. Additionally, access to the download_backup.php script should be restricted, and server logs should be monitored for unauthorized access attempts.

Original NVD description (English source)

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS