Plattform
wordpress
Komponente
counter-visitor-for-woocommerce
Behoben in
1.3.7
CVE-2025-7359 is an arbitrary file access vulnerability discovered in the Counter live visitors for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to data loss or a denial-of-service condition. The vulnerability affects versions 1.0.0 through 1.3.6 of the plugin. A patch is expected from the vendor.
The primary impact of CVE-2025-7359 is the ability for an unauthenticated attacker to delete arbitrary files on the web server. The vulnerability stems from insufficient file path validation within the wcvisitorgetblock function. Instead of deleting a single specified file, the vulnerability allows deletion of all files within a targeted directory, significantly broadening the potential impact. This could lead to the deletion of critical WordPress files, theme files, or even application data, resulting in a complete website outage or data compromise. The lack of authentication required means any user can trigger this vulnerability, making it a high-risk concern.
CVE-2025-7359 was publicly disclosed on 2025-07-16. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure suggests that exploitation may be in its early stages, but the ease of exploitation could lead to increased targeting in the future.
Websites using the Counter live visitors for WooCommerce plugin, particularly those running older, unpatched versions (1.0.0–1.3.6), are at risk. Shared hosting environments are particularly vulnerable, as attackers could potentially exploit this vulnerability to impact multiple websites hosted on the same server.
• wordpress / composer / npm:
grep -r "wcvisitor_get_block" /var/www/html/wp-content/plugins/counter-live-visitors-for-woocommerce/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/counter-live-visitors-for-woocommerce/wcvisitor_get_block?file=../../../../etc/passwd' # Attempt to access sensitive filesdisclosure
Exploit-Status
EPSS
0.71% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2025-7359 is to upgrade the Counter live visitors for WooCommerce plugin to a patched version as soon as it becomes available. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider restricting access to the plugin's directory and files. Implement strict file permission controls to limit write access to the plugin's files and directories. While a direct workaround is difficult without modifying the plugin code, a Web Application Firewall (WAF) could be configured to block requests containing suspicious file paths or patterns that could exploit this vulnerability. Monitor server logs for unusual file deletion activity.
Actualice el plugin Counter live visitors for WooCommerce a una versión corregida. La vulnerabilidad ha sido solucionada en versiones posteriores a la 1.3.6. Verifique la página del plugin en WordPress.org para obtener la última versión disponible.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-7359 is a vulnerability in the Counter live visitors for WooCommerce plugin allowing unauthenticated attackers to delete files on a WordPress server due to flawed file path validation.
You are affected if you are using the Counter live visitors for WooCommerce plugin versions 1.0.0 through 1.3.6. Upgrade immediately to mitigate the risk.
Upgrade the Counter live visitors for WooCommerce plugin to a patched version. Until a patch is available, restrict file permissions and monitor server logs.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests it is likely to be exploited soon. Monitor your systems closely.
Refer to the WooCommerce plugin repository and WordPress security announcements for the official advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.