Platform
wordpress
Component
lbg-cleverbakery
Fixed in
2.5.4
CVE-2025-31070 describes an Arbitrary File Access vulnerability within the HTML5 Radio Player - WPBakery Page Builder Addon. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 2.5. A patch is available in version 2.5.4.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Depending on the files accessible, this could enable further compromise of the WordPress site, including potential remote code execution if sensitive scripts are exposed. The impact is amplified if the server is configured to serve files directly, making them accessible over HTTP.
This vulnerability was publicly disclosed on 2025-07-16. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the path traversal nature of the vulnerability.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-31070 is to immediately upgrade the HTML5 Radio Player - WPBakery Page Builder Addon to version 2.5.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on the WordPress server to minimize the potential impact of a successful exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin HTML5 Radio Player - WPBakery Page Builder Addon a la versión 2.5.4 o superior para mitigar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la forma en que el plugin maneja las rutas de archivos, evitando el acceso no autorizado a archivos sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31070 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in the HTML5 Radio Player plugin for WordPress.
You are affected if you are using the HTML5 Radio Player - WPBakery Page Builder Addon versions 0.0.0 through 2.5. Check your plugin versions immediately.
Upgrade the HTML5 Radio Player - WPBakery Page Builder Addon to version 2.5.4 or later to resolve this vulnerability.
As of the current date, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the LambertGroup website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-31070.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.