Plattform
wordpress
Komponente
download-counter
Behoben in
1.4.1
CVE-2025-60242 identifies an Arbitrary File Access vulnerability within the Anatoly Download Counter plugin for WordPress. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of the plugin from 0.0.0 through 1.4 are affected. A patch has been released in version 1.4.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Depending on the files accessible, an attacker could gain a deeper understanding of the server's infrastructure, potentially leading to further exploitation. While no direct precedent for this specific plugin exists, path traversal vulnerabilities are frequently exploited to gain unauthorized access to system resources.
CVE-2025-60242 was publicly disclosed on 2025-11-06. There is no indication of active exploitation campaigns or inclusion on the CISA KEV catalog at this time. Public proof-of-concept exploits are currently unavailable, but the nature of path traversal vulnerabilities makes it likely that one will emerge.
WordPress sites utilizing the Anatoly Download Counter plugin, particularly those running older versions (0.0.0–1.4), are at risk. Shared hosting environments where plugin updates are not managed by the site administrator are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/download-counter/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/download-counter/download.php?file=../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-60242 is to immediately upgrade the Anatoly Download Counter plugin to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin Download Counter a la última versión disponible para corregir la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como limitar los permisos de archivo y directorio, para mitigar el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-60242 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through path traversal in the Anatoly Download Counter plugin versions 0.0.0–1.4.
You are affected if your WordPress site uses the Anatoly Download Counter plugin and is running a version between 0.0.0 and 1.4, inclusive.
Upgrade the Anatoly Download Counter plugin to version 1.4.1 or later. Consider WAF rules to block path traversal attempts as a temporary measure.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-60242, but it's crucial to apply the patch promptly.
Refer to the Anatoly Download Counter plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.