Plattform
wordpress
Komponente
game-users-share-buttons
Behoben in
1.3.1
CVE-2025-6755 represents an Arbitrary File Access vulnerability discovered in the Game Users Share Buttons plugin for WordPress. This flaw allows authenticated Subscriber-level users to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 1.0.0 through 1.3.0, and a patch is expected from the plugin developer.
The core of the vulnerability lies in the ajaxDeleteTheme() function, which lacks proper file path validation. Attackers can manipulate the themeNameId parameter within an AJAX request to include malicious paths like ../../../../wp-config.php. Successfully crafting such a request allows an attacker to delete critical system files, including the WordPress configuration file. Compromising wp-config.php grants attackers access to database credentials, effectively providing complete control over the WordPress installation. This could lead to data breaches, website defacement, and further exploitation of the server.
This vulnerability was publicly disclosed on 2025-06-28. While no public exploits are currently known, the ease of exploitation and the potential for remote code execution make this a high-priority vulnerability. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation. The CVSS score of 8.8 (HIGH) reflects the significant risk posed by this vulnerability.
Websites using the Game Users Share Buttons plugin, particularly those running vulnerable versions (1.0.0–1.3.0), are at risk. Shared hosting environments where multiple WordPress sites share the same server are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak file permissions or inadequate WAF protection are also at increased risk.
• wordpress / composer / npm:
grep -r "ajaxDeleteTheme" /var/www/html/wp-content/plugins/game-users-share-buttons/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'game-users-share-buttons'• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=ajaxDeleteTheme&themeNameId=../../../../wp-config.php | grep -i '403 forbidden'disclosure
Exploit-Status
EPSS
1.21% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of the Game Users Share Buttons plugin as soon as it becomes available. In the interim, several workarounds can be implemented. A Web Application Firewall (WAF) can be configured to block requests containing suspicious file paths or patterns indicative of path traversal attempts. Additionally, restrict file permissions on sensitive files like wp-config.php to prevent unauthorized access. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Actualice el plugin Game Users Share Buttons a la última versión disponible, ya que las versiones posteriores a la 1.3.0 incluyen correcciones para esta vulnerabilidad. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6755 is a vulnerability in the Game Users Share Buttons WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 1.0.0–1.3.0 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the Game Users Share Buttons plugin in versions 1.0.0 through 1.3.0. Check your plugin versions immediately to determine your exposure.
Upgrade the Game Users Share Buttons plugin to a patched version as soon as it's available. Until then, disable the plugin or implement a WAF rule to block malicious requests.
Active exploitation is not currently confirmed, but the vulnerability's severity and ease of exploitation suggest it could become a target. Monitor your systems for suspicious activity.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.