A researcher going by the name of “b1p0l4r” has just released a new 0Day exploit effecting all CherryFramework themes on WordPress’s content management system. The exploit is rather simple in nature, allowing attackers to remotely access and download a websites backup file, exposing sensitive information such as all blog posts, photos, videos, files and uploads attached to an owners account, as well as other sensitive information including email subscriber lists, security settings, site settings, sub-domains, plugin lists, admin user information and much more.
As for the exploit itself, if you already know the domain of a WordPress user utilizing a CherryFrameork theme, then all you need to do is type in the correct sequence of words and characters following the domain name into the URL address search bar. Once entered correctly, you will be brought to built in web-page attached to the website itself, where you can download a ZIP file containing the full backup of the site and its content.
I’ve personally seen this attack style hundreds of times over the course of the last 2 months alone, so it’s actually kind of interesting to find a theme this type of vulnerability actually effects – because normally they just bounce right off my firewall. However, considering that this is a valid end destination URL address built into the CherryFramework’s theme/design itself, there is really no stopping the attack. All you can really do is go to your sites administrator settings and disable site backups, which poses another security threat unto itself – therefore making this a legitimate 0Day.
At the present moment in time there is no estimation as to the number of WordPress owners/websites effected by this vulnerability, and CherryFramework does not publicly disclose the number of downloads they have received. What I do know is that CherryFramework currently offers 12 theme templates for WordPress owners, ranging in price from $38-$59 each, as well as countless other plugins Upon publishing this release, Rogue Security Labs has made the developers aware of the vulnerability.