This article does not aim to discredit or shame developers and site owners currently using the Cherry framework. This article is purely informational and written by a developer passionate about security. This article aims to educate readers on WordPress vulnerabilities and their impact across sites.
We believe advice should always be FREE. If you have any questions or concerns about your site’s security, we strongly recommend contacting your web developer for advice or contact us for a FREE consultation.
Efficient website development allows us to keep our competitive prices! What’s not to love about that? When we begin a new design project, we consider what tools to use during our development process. Lately, we’ve noticed a lot of buzz about the Cherry Framework and how secure it is. So, let’s dive in and explore the world of WordPress security.
What is a Framework?
The WordPress Codex defines a theme framework as “A set of functions and features created to aid development.” A framework is a tool meant for developers to create themes more efficiently, as creating a theme from scratch comes with its own set of challenges. A good WordPress theme takes time to develop, from time constraints to security patches, and a useful framework can help facilitate the process. A framework like the Cherry Framework comes loaded with functions and features that save developers a lot of time. It adds back-end settings that allow the user to quickly change the site’s color, fonts, and images.
The Cherry Framework’s purpose is to provide a platform for developers to build better and faster sites. Unfortunately, convenience comes at a cost, and in this article, we will be covering the Cherry Framework and its various security vulnerabilities.
In the world of cybersecurity, an exploited weakness that causes harm is a vulnerability. Multiple types of vulnerabilities plague the Cherry Framework; these include:
- Cherry Framework version 1.2.7 and under allow unauthenticated arbitrary file upload and download.
- Cherry Framework version 3.1.4 allows Backup File Download, which enables remote attackers to obtain potentially sensitive information.
What Does an Unauthenticated Arbitrary File Upload and Download Vulnerability Mean?
This vulnerability allows unauthenticated users to upload or download files from the server. This exploit is pretty severe because it means that an attacker can quickly gain control of a site and serve all sorts of malicious content.
In 2016, the Cherry Plugin for WordPress allowed attackers to upload files and remotely execute malicious code. The lack of input validation and access control in the plugin’s upload.php file causes this vulnerability. This allows attackers to submit a fraudulent request to the upload.php file and upload any file without any restriction. This action will then allow them to execute malicious code on the targeted site. 2016 was also the year that saw the Cherry framework make the list of the top 50 most attacked plugins.
In 2016, it was found that the Cherry Plugin for WordPress allowed attackers to upload files and remotely execute malicious code. The vulnerability is caused by the lack of input validation and access control in the plugin’s ‘upload.php file’. This allows attackers to send in a fraudulent request to the ‘upload.php’ file and upload any file without any restriction. This will then allow them to execute malicious code on the targeted site. 2016 was also the year that saw the Cherry framework make the list of the top 50 most attacked plugins.
Backup File Download
As recently as 2018, the Cherry Framework’s Cherry theme has a vulnerability where attackers can gain access through the back door. This access allows anybody with the path to the Cherry theme admin folder to download a zip file containing the entire content of the WP-Content/Themes directory. This sort of vulnerability opens the door for unauthorized access to personal information.
What if My Site Has Been Hacked? What Can I do to Avoid it?
The good news is that these vulnerabilities have patched in the latest versions of the Cherry Framework. These vulnerabilities showcase the importance of keeping WordPress plugins up to date and ensuring that only reliable themes and applications get installed. If you think your site is at risk of being hacked, it is crucial to get in touch with a Webmaster or developer as soon as possible to mitigate the issue. Working with a web development firm specializing in WordPress security is a plus because they will have a strategy for approaching the situation. This instance is the sort of situation where regular full backups of your WordPress installation come in handy.
These sorts of vulnerabilities beg the question of whether the Cherry Framework is still a secure tool to build websites. While Cherry Framework has mostly patched these vulnerabilities, hundreds of sites with older versions of the Cherry framework have no idea these sorts of vulnerabilities exist.
A compromised website can be an expensive endeavor in both development hours and legal fees! Working with a reputable web development firm can significantly impact how protected a website is against attacks. It’s a good practice to be involved in your site’s design! Ask the right questions, read up on website design, and what platforms your site will be built in. Developers will have your best interest in mind and are knowledgeable when it comes to WordPress security. Asking the right questions during website training meetings will ensure that you can rest assured your website is in good hands.
We recommend employing a firewall plugin such as WordFence security or using a security service to aid in the monitoring and backup of your site. Many web development firms offer this service, and contacting your webmaster can lead you to more answers.
My Website spot is always willing to provide FREE advice. If you have any questions, need assistance with your site’s security, or want to give us feedback on this article, We’d love to hear from you! Drop us a line, and we’ll get in touch!