CVE-2025-6755
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-28

Last updated on: 2025-07-07

Assigner: Wordfence

Description
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-28
Last Modified
2025-07-07
Generated
2026-05-07
AI Q&A
2025-06-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6755
EUVD
EUVD-2025-19576
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gameusers game_users_share_button to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the Game Users Share Buttons WordPress plugin allows Subscriber-level attackers to delete arbitrary files on the server by exploiting insufficient file path validation in the ajaxDeleteTheme() function. Attackers can manipulate the themeNameId parameter in an AJAX request to specify file paths outside the intended directory, such as ../../../../wp-config.php, potentially leading to remote code execution.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized deletion of critical files on the server, which can disrupt website functionality or lead to complete site compromise. It also enables remote code execution, allowing attackers to run malicious code remotely, potentially leading to data breaches, website defacement, or further exploitation of the server.


What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include disabling or uninstalling the Game Users Share Buttons plugin version 1.3.0 or earlier until a patched version is released. Since the plugin has been temporarily closed and is unavailable for download as of June 26, 2025, pending review, avoid using it in your WordPress installation. Additionally, restrict Subscriber-level user permissions to prevent exploitation and monitor your system for suspicious AJAX requests targeting the themeNameId parameter. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart