PatchSiren cyber security CVE debrief
CVE-2018-25437 Cherryframework CVE debrief
CVE-2018-25437 is a high-severity information disclosure vulnerability (CVSS Score: 8.7) affecting WordPress CherryFramework Themes version 3.1.4. The vulnerability allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Specifically, attackers can directly access the download_backup.php script located in the admin/data_management directory to obtain ZIP archives containing the entire contents of the wp-content/themes directory.
- Vendor
- Cherryframework
- Product
- Cherry Framework Themes
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress CherryFramework Themes version 3.1.4 should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability is caused by an insecure endpoint (download_backup.php) in the admin/data_management directory of the WordPress CherryFramework Themes 3.1.4. This endpoint allows unauthenticated access to sensitive backup ZIP files containing the entire wp-content/themes directory contents.
Defensive priority
High
Recommended defensive actions
- Update WordPress CherryFramework Themes to a version that is not vulnerable.
- Restrict access to the download_backup.php endpoint.
- Monitor for suspicious activity related to the download_backup.php endpoint.
Evidence notes
The CVE-2018-25437 vulnerability has been documented in various sources, including [ref-5](https://www.exploit-db.com/exploits/45896) and [ref-6](https://www.vulncheck.com/advisories/wordpress-cherryframework-themes-backup-file-download).
Official resources
CVE-2018-25437 was published on 2018-01-01 and modified on 2018-01-01.