Description
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.
Published: 2025-07-16
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion causing data loss or denial of service
Action: Upgrade or Remove
AI Analysis

Impact

The Counter live visitors for WooCommerce plugin is vulnerable because the wcvisitor_get_block function does not properly validate the file path supplied. An attacker who can access the plugin endpoint can therefore delete all files within any directory the server allows, which can lead to loss of critical data or a complete denial of service for the site. The weakness is a classic improper file handling issue.

Affected Systems

All installations of the Counter live visitors for WooCommerce plugin built by DanielRiera, specifically version 1.3.6 and earlier, are affected. Older or newer releases after 1.3.6 are presumed not to contain the flaw.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. The EPSS score of less than 1% shows a very low probability of exploitation in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated, as the flaw stems from insufficient input validation that does not require user authentication. An attacker could exploit the flaw by making a crafted request to the vulnerable endpoint and specifying a target directory to delete.

Generated by OpenCVE AI on April 20, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Counter live visitors for WooCommerce plugin to version 1.3.7 or later
  • If an upgrade is not possible, remove the plugin entirely from the WordPress installation
  • Disable or restrict access to the wcvisitor_get_block endpoint by applying web‑application firewall rules or by adding authentication checks before the function is called

Generated by OpenCVE AI on April 20, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21584 The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

Wed, 16 Jul 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.
Title Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:18.798Z

Reserved: 2025-07-08T15:20:05.421Z

Link: CVE-2025-7359

cve-icon Vulnrichment

Updated: 2025-07-16T13:32:50.814Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T07:15:24.253

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses