Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6.
Published: 2025-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the LambertGroup CLEVER plugin is a Path Traversal flaw (CWE‑22) that allows an attacker to download arbitrary files from the server. Because the plugin does not properly limit pathname resolution, a crafted request can read any file the web server can access, resulting in confidentiality exposure of sensitive data.

Affected Systems

LambertGroup CLEVER plugin versions from n/a through 2.6 are affected. The plugin is distributed under the identifier lbg-audio11-html5-shoutcast_history and is used as a WordPress plugin. Any WordPress installation that includes this plugin with a version 2.6 or earlier faces this issue.

Risk and Exploitability

This flaw carries a CVSS score of 7.5, indicating a high severity. The EPSS score is below 1%, suggesting a low current exploitation probability, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is a web‑based request to the plugin’s download endpoint, where an attacker supplies a path containing directory‑traversal sequences to reference files outside the intended directory. Successful exploitation would grant the attacker read access to any file the web server can access, without requiring authentication if the endpoint is publicly reachable.

Generated by OpenCVE AI on April 30, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CLEVER plugin to a version newer than 2.6 or remove it entirely if it is not required.
  • If an upgrade is not possible immediately, restrict access to the plugin’s download functionality by applying web server rules (e.g., .htaccess or web.config) that block directory traversal patterns and/or require authentication.
  • Implement regular file permission audits and monitor web logs for suspicious file access attempts to detect potential exploitation.

Generated by OpenCVE AI on April 30, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17503 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6.2. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6.
Title WordPress CLEVER plugin <= 2.6.2 - Arbitrary File Download vulnerability WordPress CLEVER plugin <= 2.6 - Arbitrary File Download Vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6.2.
Title WordPress CLEVER plugin <= 2.6 - Arbitrary File Download Vulnerability WordPress CLEVER plugin <= 2.6.2 - Arbitrary File Download vulnerability
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER lbg-audio11-html5-shoutcast_history allows Path Traversal.This issue affects CLEVER: from n/a through <= 2.6.
Title WordPress CLEVER <= 2.6 - Arbitrary File Download Vulnerability WordPress CLEVER plugin <= 2.6 - Arbitrary File Download Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00057}

 epss

{'score': 0.00062}

Mon, 09 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6.
Title WordPress CLEVER <= 2.6 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.781Z

Reserved: 2025-03-31T10:06:37.635Z

Link: CVE-2025-31635

cve-icon Vulnrichment

Updated: 2025-06-09T17:18:56.769Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:38.720

Modified: 2026-04-28T19:31:13.090

Link: CVE-2025-31635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses