CVE-2025-7359
Published: 16 July 2025
Summary
CVE-2025-7359 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the path traversal flaw in the WooCommerce plugin.
Prevents exploitation of the insufficient file path validation in wcvisitor_get_block by enforcing input validation mechanisms at plugin entry points.
Detects unauthorized file deletions caused by the path traversal vulnerability through integrity verification of software and information on the server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enabling remote unauthenticated arbitrary file/directory deletion directly maps to exploitation of public-facing web app (T1190) and data destruction impact (T1485).
NVD Description
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers…
more
to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition.
Deeper analysisAI
CVE-2025-7359 is a path traversal vulnerability (CWE-22) in the Counter live visitors for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.6. The issue stems from insufficient file path validation in the wcvisitor_get_block function, enabling arbitrary file deletion on the server. Published on 2025-07-16, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity impact with low availability impact and no confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By targeting the flawed function, they can delete all files within an arbitrary directory rather than a single specified file, potentially causing widespread data loss or denial-of-service conditions on the affected WordPress site.
Advisories and patches are documented in the WordPress plugin trac repository, including the vulnerable code at line 378 of woo-counter-visitor.php in version 1.3.6 and the fix in changeset 3333208. Wordfence's threat intelligence page provides further details on the vulnerability (ID: ae13dc61-c4bf-4b17-8055-98c80a853a2a). Mitigation requires updating the plugin beyond version 1.3.6.
Details
- CWE(s)