{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7359", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-08T15:20:05.421Z", "datePublished": "2025-07-16T06:40:41.216Z", "dateUpdated": "2026-04-08T17:15:18.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:18.798Z"}, "affected": [{"vendor": "danielriera", "product": "Counter live visitors for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition."}], "title": "Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae13dc61-c4bf-4b17-8055-98c80a853a2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/counter-visitor-for-woocommerce/tags/1.3.6/woo-counter-visitor.php#L378"}, {"url": "https://plugins.trac.wordpress.org/changeset/3333208"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-07-15T18:17:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-16T13:32:49.712037Z", "id": "CVE-2025-7359", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T14:40:48.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-16T13:32:49.712037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T13:32:50.814Z"}}], "cna": {"title": "Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}}], "affected": [{"vendor": "danielriera", "product": "Counter live visitors for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-15T18:17:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae13dc61-c4bf-4b17-8055-98c80a853a2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/counter-visitor-for-woocommerce/tags/1.3.6/woo-counter-visitor.php#L378"}, {"url": "https://plugins.trac.wordpress.org/changeset/3333208"}], "descriptions": [{"lang": "en", "value": "The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:18.798Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7359", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:18.798Z", "dateReserved": "2025-07-08T15:20:05.421Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-16T06:40:41.216Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition."}, {"lang": "es", "value": "El complemento Counter live visitors for WooCommerce de WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n wcvisitor_get_block en todas las versiones hasta la 1.3.6 incluida. Esto permite que atacantes no autenticados eliminen archivos arbitrarios del servidor. NOTA: Esta vulnerabilidad elimina todos los archivos de un directorio arbitrario espec\u00edfico, en lugar de un archivo arbitrario espec\u00edfico, lo que puede provocar la p\u00e9rdida de datos o una denegaci\u00f3n de servicio."}], "id": "CVE-2025-7359", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-16T07:15:24.253", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/counter-visitor-for-woocommerce/tags/1.3.6/woo-counter-visitor.php#L378"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3333208"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae13dc61-c4bf-4b17-8055-98c80a853a2a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:17:10.256830+00:00", "value": {"mitigation_remediation": ["Upgrade the Counter live visitors for WooCommerce plugin to version 1.3.7 or later", "If an upgrade is not possible, remove the plugin entirely from the WordPress installation", "Disable or restrict access to the wcvisitor_get_block endpoint by applying web\u2011application firewall rules or by adding authentication checks before the function is called"], "summary": {"action": "Upgrade or Remove", "impact": "Arbitrary file deletion causing data loss or denial of service"}, "threat_synthesis": {"affected_systems": "All installations of the Counter live visitors for WooCommerce plugin built by DanielRiera, specifically version 1.3.6 and earlier, are affected. Older or newer releases after 1.3.6 are presumed not to contain the flaw.", "description_and_impact": "The Counter live visitors for WooCommerce plugin is vulnerable because the wcvisitor_get_block function does not properly validate the file path supplied. An attacker who can access the plugin endpoint can therefore delete all files within any directory the server allows, which can lead to loss of critical data or a complete denial of service for the site. The weakness is a classic improper file handling issue.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity. The EPSS score of less than 1% shows a very low probability of exploitation in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated, as the flaw stems from insufficient input validation that does not require user authentication. An attacker could exploit the flaw by making a crafted request to the vulnerable endpoint and specifying a target directory to delete."}}}}, "created": "2026-04-20T20:30:16.065570+00:00", "updated": "2026-04-20T20:30:16.065581+00:00", "vendors": []}