CVE-2025-31070 is a high-severity path traversal vulnerability (CWE-22) found in the LambertGroup HTML5 Radio Player - WPBakery Page Builder Addon, a plugin component used within the WPBakery Page Builder environment for WordPress. This vulnerability allows an unauthenticated remote attacker to manipulate file path inputs to access files and directories outside the intended restricted directory. Specifically, the flaw arises due to improper limitation of pathname inputs, enabling traversal sequences (e.g., '../') to escape the designated directory boundaries. The vulnerability affects all versions up to 2.5 of the addon. Exploitation requires no user interaction and no privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on confidentiality, as attackers can read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other private data. The vulnerability does not affect integrity or availability directly. No known public exploits have been reported yet, and no patches have been published at the time of disclosure. The vulnerability was reserved in March 2025 and published in July 2025. Given the nature of the vulnerability and the widespread use of WPBakery Page Builder in WordPress sites, this flaw poses a significant risk to websites using this addon, especially those hosting sensitive or regulated data.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored on web servers running vulnerable versions of the LambertGroup HTML5 Radio Player addon. This could include personal data protected under GDPR, intellectual property, or internal configuration files that could facilitate further attacks. The exposure of such data could result in regulatory penalties, reputational damage, and operational disruptions. Since WordPress is a popular CMS in Europe and WPBakery Page Builder is widely used for site customization, many organizations, including SMEs, media companies, and e-commerce platforms, could be affected. Attackers exploiting this vulnerability could gain insights into server configurations or credentials, enabling subsequent attacks such as privilege escalation or lateral movement. The lack of required authentication and user interaction increases the risk of automated exploitation attempts, potentially leading to widespread scanning and compromise attempts across European web infrastructure.

Organizations should immediately audit their WordPress installations to identify the presence of the LambertGroup HTML5 Radio Player - WPBakery Page Builder Addon and verify the version in use. Until an official patch is released, mitigation can include disabling or uninstalling the vulnerable addon to eliminate exposure. Web application firewalls (WAFs) should be configured to detect and block path traversal patterns in HTTP requests targeting the affected plugin endpoints. Additionally, implementing strict file system permissions to limit the web server's access to sensitive directories can reduce the impact of successful exploitation. Monitoring web server logs for suspicious requests containing traversal sequences is recommended to detect potential exploitation attempts. Organizations should subscribe to LambertGroup and WPBakery security advisories to apply patches promptly once available. Finally, conducting regular security assessments and penetration tests focusing on plugin vulnerabilities can help identify and remediate similar issues proactively.