CVE-2025-7359
Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.
Reserved 2025-07-08 | Published 2025-07-16 | Updated 2025-07-16 | Assigner WordfenceCWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| 2025-07-15: | Disclosed |
Michael Mazzolini
www.wordfence.com/...-c4bf-4b17-8055-98c80a853a2a?source=cve
plugins.trac.wordpress.org/.../1.3.6/woo-counter-visitor.php
Support options
