CVE-2025-7359
📋 TL;DR
The Counter live visitors for WooCommerce WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete all files in any directory on the server. This affects all WordPress sites using the plugin version 1.3.6 or earlier. Attackers can cause complete data loss or denial of service by wiping critical directories.
💻 Affected Systems
- Counter live visitors for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through deletion of system files, website destruction with all data loss, and permanent denial of service requiring full server restoration from backups.
Likely Case
Website defacement or destruction by deleting WordPress core files, plugin files, or upload directories, causing extended downtime and data loss.
If Mitigated
Limited impact if proper file permissions restrict write access to web user, but still potential for deleting web-accessible content.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests and requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Counter live visitors for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.3.7+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable or remove vulnerable plugin
allTemporarily disable or completely remove the vulnerable plugin until patched.
wp plugin deactivate counter-visitor-for-woocommerce
wp plugin delete counter-visitor-for-woocommerce
Restrict web server file permissions
linuxSet restrictive file permissions to prevent web user from deleting critical files.
chmod 755 /var/www/html
chmod 644 /var/www/html/*.php
chown root:root /var/www/html/wp-config.php
🧯 If You Can't Patch
- Immediately disable the Counter live visitors for WooCommerce plugin via WordPress admin or command line.
- Implement web application firewall rules to block requests to the vulnerable wcvisitor_get_block function.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin plugins page for 'Counter live visitors for WooCommerce' version 1.3.6 or lower.Check Version:
wp plugin get counter-visitor-for-woocommerce --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.7 or higher in WordPress admin or via wp-cli: wp plugin get counter-visitor-for-woocommerce --field=version📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=wcvisitor_get_block containing directory traversal patterns
- Web server error logs showing 'No such file or directory' errors for unexpected file deletions
- WordPress debug logs showing file operation errors
Network Indicators:
- Unusual HTTP requests to admin-ajax.php with directory traversal payloads
- Multiple DELETE or file operation requests from single IP
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "wcvisitor_get_block") AND (parameters CONTAINS "../" OR parameters CONTAINS "/etc/" OR parameters CONTAINS "/root/")