Platform
wordpress
Component
download-counter
Fixed in
1.4.1
CVE-2025-60242 identifies an Arbitrary File Access vulnerability within the Anatoly Download Counter plugin for WordPress. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of the plugin from 0.0.0 through 1.4 are affected. A patch has been released in version 1.4.1.
The core of this vulnerability lies in improper input validation, specifically a lack of restriction on file paths. An attacker can craft a malicious URL containing path traversal sequences (e.g., ../) to navigate outside the intended download directory. This allows them to access files they shouldn't, potentially including configuration files, sensitive data, or even parts of the server's codebase. The potential impact ranges from information disclosure to, in more severe cases, potential code execution if the attacker can leverage the accessed files to compromise the server further. While direct code execution isn't inherent to the path traversal itself, it could be a stepping stone for other attacks.
This vulnerability was publicly disclosed on 2025-11-06. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No Proof-of-Concept (PoC) code has been publicly released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Anatoly Download Counter plugin to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's download functionality. Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../, ..\). Regularly scan your WordPress installation for vulnerable plugins using security scanning tools. Verify the upgrade by attempting to access files outside the intended download directory – access should be denied.
Update the Download Counter plugin to the latest available version to fix the directory traversal vulnerability. Check for updates in the WordPress plugin repository or on the developer's website. Implement additional security measures, such as limiting file and directory permissions, to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-60242 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through path traversal in the Anatoly Download Counter plugin versions 0.0.0–1.4.
You are affected if your WordPress site uses the Anatoly Download Counter plugin and is running a version between 0.0.0 and 1.4, inclusive.
Upgrade the Anatoly Download Counter plugin to version 1.4.1 or later. Consider WAF rules to block path traversal attempts as a temporary measure.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-60242, but it's crucial to apply the patch promptly.
Refer to the Anatoly Download Counter plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.