Platform
wordpress
Component
counter-visitor-for-woocommerce
Fixed in
1.3.7
CVE-2025-7359 is an arbitrary file access vulnerability discovered in the Counter live visitors for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to data loss or a denial-of-service condition. The vulnerability affects versions 1.0.0 through 1.3.6 of the plugin. A patch is expected from the vendor.
The vulnerability lies in the wcvisitorgetblock function, where insufficient file path validation allows an attacker to specify a directory and delete all files within it. This is a significant risk because it bypasses authentication, meaning any unauthenticated user can trigger the file deletion. The impact extends beyond simple data loss; a targeted attacker could delete critical WordPress files, effectively crippling the website and potentially requiring a complete rebuild. The ability to delete arbitrary files also opens the door to denial-of-service attacks, where an attacker could repeatedly delete files to disrupt website operations.
CVE-2025-7359 was publicly disclosed on 2025-07-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a PoC is likely to emerge soon. The EPSS score is currently pending evaluation, but the ease of exploitation and potential impact suggest a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Counter live visitors for WooCommerce plugin to a version with the vulnerability patched. Until a patch is available, consider implementing temporary workarounds. One approach is to restrict file permissions on the WordPress installation to limit the attacker's ability to delete files, though this may impact legitimate plugin functionality. Web application firewalls (WAFs) can be configured to block requests containing suspicious file paths. Regularly monitor server logs for unusual file deletion activity. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a crafted request and confirming that file deletion is prevented.
Update the Counter live visitors for WooCommerce plugin to a patched version. The vulnerability has been resolved in versions later than 1.3.6. Check the plugin page on WordPress.org for the latest available version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7359 is a vulnerability in the Counter live visitors for WooCommerce plugin allowing unauthenticated attackers to delete files on a WordPress server due to flawed file path validation.
You are affected if you are using the Counter live visitors for WooCommerce plugin versions 1.0.0 through 1.3.6. Upgrade immediately to mitigate the risk.
Upgrade the Counter live visitors for WooCommerce plugin to a patched version. Until a patch is available, restrict file permissions and monitor server logs.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests it is likely to be exploited soon. Monitor your systems closely.
Refer to the WooCommerce plugin repository and WordPress security announcements for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.