Description
The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
Published: 2025-04-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read
Action: Apply patch
AI Analysis

Impact

The vulnerability (CWE‑73) allows an unauthenticated attacker to retrieve arbitrary files from the server hosting the WordPress site. A flaw in the plugin’s history.php file fails to validate file paths, enabling an attacker to construct a web request that resolves to any file on the filesystem, potentially exposing sensitive information such as database credentials or other configuration data.

Affected Systems

The flaw exists in the CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon plugin for WordPress. All releases up to and including version 2.4 are affected.

Risk and Exploitability

With a CVSS score of 7.5 the issue is classified as high severity. The EPSS score is less than 1%, indicating that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely via a simple web request without requiring authentication, and can target any user who can reach the WordPress installation.

Generated by OpenCVE AI on April 28, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CLEVER plugin to the latest available release; if version 2.4 is the latest and still vulnerable, use any newer version that fully addresses the path‑validation flaw.
  • If an upgrade is not immediately possible, remove or disable the history.php file or disable the history feature of the plugin to eliminate the vulnerable endpoint.
  • Configure restrictive file‑system permissions so that the web server runs with the least privilege necessary, preventing read access to sensitive files such as wp-config.php.

Generated by OpenCVE AI on April 28, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15088 The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
History

Mon, 21 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
Title CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:56.469Z

Reserved: 2025-04-01T19:54:20.663Z

Link: CVE-2025-3103

cve-icon Vulnrichment

Updated: 2025-04-21T02:40:40.454Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T05:15:44.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses