Search
Find a vulnerability
Search criteria
2 vulnerabilities by Cherryframework
CVE-2018-25437 (GCVE-0-2018-25437)
Vulnerability from nvd – Published: 2026-06-15 12:00 – Updated: 2026-06-15 19:24 Unsupported When Assigned
VLAI
EPSS
VEX
Title
WordPress CherryFramework Themes 3.1.4 Backup File Download
Summary
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45896 | exploit |
| http://www.cherryframework.com/ | product |
| https://www.vulncheck.com/advisories/wordpress-ch… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cherryframework | Cherry Framework Themes |
Affected:
3.1.4
|
Date Public
2018-11-17 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T15:21:54.340887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:24:18.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cherry Framework Themes",
"vendor": "Cherryframework",
"versions": [
{
"status": "affected",
"version": "3.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b1p0l4r"
}
],
"datePublic": "2018-11-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:00:51.271Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45896",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45896"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.cherryframework.com/"
},
{
"name": "VulnCheck Advisory: WordPress CherryFramework Themes 3.1.4 Backup File Download",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-cherryframework-themes-backup-file-download"
}
],
"tags": [
"unsupported-when-assigned"
],
"title": "WordPress CherryFramework Themes 3.1.4 Backup File Download",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25437",
"datePublished": "2026-06-15T12:00:51.271Z",
"dateReserved": "2026-06-15T11:35:04.298Z",
"dateUpdated": "2026-06-15T19:24:18.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25437 (GCVE-0-2018-25437)
Vulnerability from cvelistv5 – Published: 2026-06-15 12:00 – Updated: 2026-06-15 19:24 Unsupported When Assigned
VLAI
EPSS
VEX
Title
WordPress CherryFramework Themes 3.1.4 Backup File Download
Summary
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45896 | exploit |
| http://www.cherryframework.com/ | product |
| https://www.vulncheck.com/advisories/wordpress-ch… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cherryframework | Cherry Framework Themes |
Affected:
3.1.4
|
Date Public
2018-11-17 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T15:21:54.340887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:24:18.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cherry Framework Themes",
"vendor": "Cherryframework",
"versions": [
{
"status": "affected",
"version": "3.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "b1p0l4r"
}
],
"datePublic": "2018-11-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:00:51.271Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45896",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45896"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.cherryframework.com/"
},
{
"name": "VulnCheck Advisory: WordPress CherryFramework Themes 3.1.4 Backup File Download",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-cherryframework-themes-backup-file-download"
}
],
"tags": [
"unsupported-when-assigned"
],
"title": "WordPress CherryFramework Themes 3.1.4 Backup File Download",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25437",
"datePublished": "2026-06-15T12:00:51.271Z",
"dateReserved": "2026-06-15T11:35:04.298Z",
"dateUpdated": "2026-06-15T19:24:18.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}