CVE-2025-60242
📋 TL;DR
This path traversal vulnerability in the WordPress Download Counter plugin allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running Download Counter version 1.4 or earlier. Attackers can access sensitive files like configuration files, passwords, or source code.
💻 Affected Systems
- WordPress Download Counter plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through retrieval of sensitive configuration files (like wp-config.php containing database credentials), leading to data theft, site defacement, or further attacks.
Likely Case
Exfiltration of sensitive files containing credentials, configuration data, or user information, potentially enabling lateral movement or privilege escalation.
If Mitigated
Limited impact if file permissions are properly restricted and sensitive files are stored outside web-accessible directories.
🎯 Exploit Status
Exploitation requires simple HTTP requests with manipulated file paths. Public proof-of-concept exists in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >1.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Download Counter' and update to latest version. 4. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Deactivate plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate download-counter
Web server file restriction
linuxConfigure web server to block directory traversal attempts
# For Apache: add to .htaccess
RewriteCond %{REQUEST_URI} \.\. [NC]
RewriteRule .* - [F]
🧯 If You Can't Patch
- Remove plugin files completely from wp-content/plugins/download-counter directory
- Implement WAF rules to block requests containing directory traversal patterns (../, ..\, etc.)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Download Counter version <=1.4Check Version:
wp plugin list --name=download-counter --field=versionVerify Fix Applied:
Verify plugin version is >1.4 or plugin is removed from wp-content/plugins directory📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or '..\' patterns to download-counter endpoints
- Unusual file access patterns from single IPs
Network Indicators:
- HTTP GET requests with path traversal sequences in URL parameters
SIEM Query:
source="web_logs" AND (url="*download-counter*" AND (url="*../*" OR url="*..\\*"))