Cherry Plugin < 1.2.7 – Unauthenticated Arbitrary File Upload and Download | Plugin Vulnerabilities

Description

The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.

Proof of Concept

Upload: The following file was affected: https://www.example.com/wp-content/plugins/cherry-plugin/admin/import-export/upload.php

Download: https://example.com/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php

Affects Plugins

Fixed in 1.2.7

References

URL

https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE

URL

https://github.com/CherryFramework/cherry-plugin/issues/6

Miscellaneous

Original Researcher

marcS0H

Submitter

Ryan

Verified

Yes

WPVDB ID

90034817-dee7-40c9-80a2-1f1cd1d033ee

Timeline

Publicly Published

2016-06-22 (about 9 years ago)

Added

2020-02-20 (about 5 years ago)

Last Updated

2021-09-21 (about 4 years ago)

Other

Published

Title

Published

2015-05-09

Title

WordPress File Upload < 2.7.1 - JS File Upload

Published

2017-12-19

Title

AccessPress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload

Published

2025-09-24

Title

Advanced Settings < 3.2.0 - Authenticated (Author+) Arbitrary File Upload

Published

2025-03-20

Title

Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload

Published

2025-12-04

Title

Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload