CVE-2025-7359

The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/counter-visitor-for-woocommerce/tags/1.3.6/woo-counter-visitor.php#L378
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae13dc61-c4bf-4b17-8055-98c80a853a2a?source=cve

Configurations

No configuration.

History

16 Jul 2025, 14:58

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-16 07:15

Updated : 2025-07-16 14:58

NVD link : CVE-2025-7359

Mitre link : CVE-2025-7359

CVE.ORG link : CVE-2025-7359

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-7359", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2025-07-16T07:15:24.253", "references": [{"url": "https://plugins.trac.wordpress.org/browser/counter-visitor-for-woocommerce/tags/1.3.6/woo-counter-visitor.php#L378", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae13dc61-c4bf-4b17-8055-98c80a853a2a?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition."}, {"lang": "es", "value": "El complemento Counter live visitors for WooCommerce de WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n wcvisitor_get_block en todas las versiones hasta la 1.3.6 incluida. Esto permite que atacantes no autenticados eliminen archivos arbitrarios del servidor. NOTA: Esta vulnerabilidad elimina todos los archivos de un directorio arbitrario espec\u00edfico, en lugar de un archivo arbitrario espec\u00edfico, lo que puede provocar la p\u00e9rdida de datos o una denegaci\u00f3n de servicio."}], "lastModified": "2025-07-16T14:58:59.837", "sourceIdentifier": "security@wordfence.com"}