Plattform
wordpress
Komponente
lbg-cleverbakery
Behoben in
2.5.4
CVE-2025-31070 describes an Arbitrary File Access vulnerability within the HTML5 Radio Player - WPBakery Page Builder Addon. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 2.5. A patch is available in version 2.5.4.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of the HTML5 Radio Player addon, this could allow an attacker to read configuration files, database credentials, or even source code. Successful exploitation could lead to information disclosure, privilege escalation, and potentially complete compromise of the WordPress site. The impact is amplified if the server is configured to serve sensitive files or if the addon is used in conjunction with other vulnerable plugins.
CVE-2025-31070 was publicly disclosed on 2025-07-16. There are currently no known public proof-of-concept exploits available, but the path traversal nature of the vulnerability makes it likely that one will emerge. The EPSS score is currently pending evaluation. Monitor security advisories and vulnerability databases for updates.
WordPress websites utilizing the HTML5 Radio Player - WPBakery Page Builder Addon, particularly those running older versions (0.0.0–2.5), are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/lbg-cleverbakery/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/lbg-cleverbakery/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-31070 is to immediately upgrade the HTML5 Radio Player - WPBakery Page Builder Addon to version 2.5.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the potential damage from a successful exploit. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Actualice el plugin HTML5 Radio Player - WPBakery Page Builder Addon a la versión 2.5.4 o superior para mitigar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la forma en que el plugin maneja las rutas de archivos, evitando el acceso no autorizado a archivos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-31070 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in the HTML5 Radio Player plugin for WordPress.
You are affected if you are using the HTML5 Radio Player - WPBakery Page Builder Addon versions 0.0.0 through 2.5. Check your plugin versions immediately.
Upgrade the HTML5 Radio Player - WPBakery Page Builder Addon to version 2.5.4 or later to resolve this vulnerability.
As of the current date, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the LambertGroup website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-31070.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.