CVE-2025-3103: CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read

7.5 CVSS

Description

The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.

Classification

CVE ID: CVE-2025-3103

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-73 External Control of File Name or Path

Affected Products

Vendor: LambertGroup

Product: CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.36% (scored less or equal to compared to others)

EPSS Date: 2025-05-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3103
https://www.wordfence.com/threat-intel/vulnerabilities/id/0733261f-a2e1-4bd1-a57d-fdaaa8c904db?source=cve
https://codecanyon.net/item/clever-html5-radio-player-with-history-shoutcast-and-icecast-elementor-widget-addon/26708087#item-description__updates-release-log

Timeline

2025-04-19 05:40:12 UTC
CVE

CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read