Scan free
HIGHCVE-2025-7359CVSS 8.2

CVE-2025-7359: Arbitrary File Access in WooCommerce Counter

Platform

wordpress

Component

counter-visitor-for-woocommerce

Fixed in

1.3.7

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026
View on NVD
Save

CVE-2025-7359 is an arbitrary file access vulnerability discovered in the Counter live visitors for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to data loss or a denial-of-service condition. The vulnerability affects versions 1.0.0 through 1.3.6 of the plugin. A patch is expected from the vendor.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The vulnerability lies in the wcvisitorgetblock function, where insufficient file path validation allows an attacker to specify a directory and delete all files within it. This is a significant risk because it bypasses authentication, meaning any unauthenticated user can trigger the file deletion. The impact extends beyond simple data loss; a targeted attacker could delete critical WordPress files, effectively crippling the website and potentially requiring a complete rebuild. The ability to delete arbitrary files also opens the door to denial-of-service attacks, where an attacker could repeatedly delete files to disrupt website operations.

Exploitation Context

CVE-2025-7359 was publicly disclosed on 2025-07-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a PoC is likely to emerge soon. The EPSS score is currently pending evaluation, but the ease of exploitation and potential impact suggest a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.71% (72% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L8.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentcounter-visitor-for-woocommerce
Vendordanielriera
Affected rangeFixed in
0 – 1.3.61.3.7

Package Information

Active installs
6KNiche
Plugin rating
5.0
Requires WordPress
4.3+
Compatible up to
6.9.4
Requires PHP
5.0+

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 312 days since disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade the Counter live visitors for WooCommerce plugin to a version with the vulnerability patched. Until a patch is available, consider implementing temporary workarounds. One approach is to restrict file permissions on the WordPress installation to limit the attacker's ability to delete files, though this may impact legitimate plugin functionality. Web application firewalls (WAFs) can be configured to block requests containing suspicious file paths. Regularly monitor server logs for unusual file deletion activity. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a crafted request and confirming that file deletion is prevented.

How to fix

Update the Counter live visitors for WooCommerce plugin to a patched version. The vulnerability has been resolved in versions later than 1.3.6. Check the plugin page on WordPress.org for the latest available version.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-7359 — Arbitrary File Access in WooCommerce Counter?

CVE-2025-7359 is a vulnerability in the Counter live visitors for WooCommerce plugin allowing unauthenticated attackers to delete files on a WordPress server due to flawed file path validation.

Am I affected by CVE-2025-7359 in WooCommerce Counter?

You are affected if you are using the Counter live visitors for WooCommerce plugin versions 1.0.0 through 1.3.6. Upgrade immediately to mitigate the risk.

How do I fix CVE-2025-7359 in WooCommerce Counter?

Upgrade the Counter live visitors for WooCommerce plugin to a patched version. Until a patch is available, restrict file permissions and monitor server logs.

Is CVE-2025-7359 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's simplicity suggests it is likely to be exploited soon. Monitor your systems closely.

Where can I find the official WooCommerce advisory for CVE-2025-7359?

Refer to the WooCommerce plugin repository and WordPress security announcements for the official advisory and patch information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs