What the vulnerability does
01Description
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
Explanation of Vulnerability in Simple Terms
02Summary
Cherry Framework Themes versions 3.1.4 and later contain a missing authentication vulnerability that allows unauthenticated network attackers to read sensitive information. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update to a patched version when available.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the site without logging in.
Potential impact on your site
04Site Impact
Confidential data may be exposed to anyone on the internet without needing site credentials.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated