CVE-2025-7359 Overview
The Counter live visitors for WooCommerce plugin for WordPress contains an arbitrary file deletion vulnerability due to insufficient file path validation in the wcvisitor_get_block function. This path traversal flaw affects all versions up to and including 1.3.6, allowing unauthenticated attackers to delete arbitrary files on the server. Notably, this vulnerability deletes all files in a targeted directory rather than a single specified file, significantly amplifying the potential for data loss or denial of service conditions.
Critical Impact
Unauthenticated attackers can remotely delete entire directories on WordPress servers, leading to complete site compromise, data loss, or denial of service without requiring any user interaction or authentication.
Affected Products
- Counter live visitors for WooCommerce plugin for WordPress versions ≤ 1.3.6
- WordPress installations running the vulnerable plugin
- WooCommerce stores utilizing the visitor counter functionality
Discovery Timeline
- 2025-07-16 - CVE-2025-7359 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7359
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), a critical security weakness that occurs when software fails to properly neutralize special elements within a pathname. The wcvisitor_get_block function in the plugin's woo-counter-visitor.php file lacks adequate validation of user-supplied file paths, enabling attackers to traverse outside intended directories.
The attack can be executed remotely over the network without requiring authentication, making it particularly dangerous for publicly accessible WordPress installations. The vulnerability's behavior of deleting entire directory contents rather than individual files creates a multiplicative impact, where a single malicious request can wipe out critical system files, WordPress core files, or database backups.
Root Cause
The root cause stems from insufficient file path validation in the wcvisitor_get_block function located at line 378 of woo-counter-visitor.php. The function accepts user-controlled input for file path operations without properly sanitizing path traversal sequences such as ../ or implementing allowlist-based validation to restrict operations to safe directories.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests containing path traversal sequences to target arbitrary directories on the server. By manipulating the file path parameter, attackers can navigate outside the plugin's intended scope and delete critical WordPress files, configuration files, or system directories.
The attack flow involves:
- Identifying a WordPress site running the vulnerable plugin version
- Crafting a request to the wcvisitor_get_block function with path traversal sequences
- Targeting critical directories such as wp-config.php location or upload directories
- Executing the request to trigger recursive deletion of the target directory
For technical implementation details, refer to the WordPress WooCommerce Plugin Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-7359
Indicators of Compromise
- Unexpected file or directory deletions in WordPress installation directories
- Missing critical files such as wp-config.php, theme files, or plugin files
- Web server error logs showing 404 errors for previously existing files
- Unusual HTTP requests containing path traversal patterns (../) targeting plugin endpoints
Detection Strategies
- Monitor web server access logs for requests to the Counter live visitors for WooCommerce plugin endpoints containing directory traversal sequences
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP parameters
- Configure file integrity monitoring solutions to alert on unexpected file deletions in WordPress directories
- Review PHP error logs for file operation failures or permission-related warnings
Monitoring Recommendations
- Deploy real-time file system monitoring on WordPress installation directories with alerts for bulk file deletions
- Enable detailed access logging for all requests to /wp-content/plugins/counter-visitor-for-woocommerce/ endpoints
- Configure intrusion detection systems to flag requests with encoded or plain-text path traversal sequences
- Implement automated backups with version retention to enable rapid recovery from file deletion attacks
How to Mitigate CVE-2025-7359
Immediate Actions Required
- Update the Counter live visitors for WooCommerce plugin to the latest patched version immediately
- Review web server access logs for evidence of exploitation attempts
- Verify integrity of critical WordPress files and restore from backup if necessary
- Temporarily disable the plugin if an update is not available or cannot be applied immediately
Patch Information
The vulnerability has been addressed in a subsequent release of the plugin. The security fix can be reviewed in the WordPress Plugin Changeset Update. Administrators should update to the latest available version through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository.
Workarounds
- Disable or remove the Counter live visitors for WooCommerce plugin until the patch can be applied
- Implement WAF rules to block requests containing path traversal sequences targeting plugin endpoints
- Restrict access to WordPress admin and plugin directories using server-level access controls
- Configure file system permissions to limit the web server user's delete capabilities on critical directories
# Configuration example: Block path traversal attempts in Apache
# Add to .htaccess in WordPress root
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.\\) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
