CVE-2025-7359 is a path traversal vulnerability classified under CWE-22 found in the Counter live visitors for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.6. The vulnerability arises from improper limitation of file pathnames in the wcvisitor_get_block function, which fails to adequately validate or sanitize user-supplied input that controls file paths. This flaw enables unauthenticated remote attackers to specify arbitrary directory paths on the server, causing the plugin to delete all files within the targeted directory rather than a single file. Unlike typical arbitrary file deletion vulnerabilities, this one deletes entire directories, amplifying the potential damage. The attack vector is network-based, requiring no privileges or user interaction, making it highly accessible to attackers. The vulnerability impacts the integrity and availability of the affected systems by enabling deletion of critical files, potentially leading to data loss, service disruption, or complete denial of service. The CVSS v3.1 base score is 8.2 (high), reflecting the ease of exploitation and significant impact. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The plugin is widely used in WooCommerce-based WordPress e-commerce sites, which increases the potential attack surface.

The vulnerability allows attackers to delete arbitrary directories and all contained files on the server hosting the vulnerable WooCommerce plugin. This can result in severe data loss, including deletion of critical website files, customer data, or backend configurations. The deletion of essential files can cause website downtime, loss of e-commerce functionality, and potential loss of revenue. Additionally, the denial of service caused by missing files can degrade user trust and damage brand reputation. Since the attack requires no authentication and can be performed remotely, any site using the affected plugin is at risk. Organizations with high-traffic WooCommerce stores or those handling sensitive customer information are particularly vulnerable. Recovery from such an attack may require restoring from backups, which could lead to operational delays and increased costs. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as proof-of-concept or weaponized exploits could emerge rapidly.

1. Immediate mitigation involves disabling or uninstalling the Counter live visitors for WooCommerce plugin until a patch is available. 2. Monitor official vendor channels and WordPress plugin repositories for updates or security patches addressing CVE-2025-7359 and apply them promptly. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal patterns targeting the wcvisitor_get_block function. 4. Restrict file system permissions for the web server user to limit the directories and files that can be deleted by the plugin or web processes, minimizing potential damage. 5. Regularly back up website files and databases, ensuring backups are stored securely and offline to enable recovery in case of data deletion. 6. Conduct security audits and code reviews of installed plugins to identify similar path traversal or file manipulation vulnerabilities. 7. Employ intrusion detection systems (IDS) to alert on unusual file deletion or directory modification activities. 8. Educate site administrators on the risks of installing unverified plugins and maintaining up-to-date software.