Platform
wordpress
Component
game-users-share-buttons
Fixed in
1.3.1
CVE-2025-6755 describes an arbitrary file access vulnerability discovered in the Game Users Share Buttons plugin for WordPress. This flaw allows authenticated, low-privilege users (Subscriber level) to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 1.0.0 through 1.3.0 of the plugin. A patch is expected from the vendor.
The primary impact of CVE-2025-6755 is the potential for remote code execution (RCE). By manipulating the themeNameId parameter in the plugin's AJAX request, an attacker can craft a request that includes file paths like ../../../../wp-config.php. This allows them to delete critical configuration files, potentially gaining control of the WordPress installation. The ability to delete wp-config.php is particularly concerning, as it contains sensitive database credentials and other configuration settings. Successful exploitation could lead to complete compromise of the web server and any data stored within the WordPress database. This vulnerability shares similarities with other file deletion vulnerabilities where insufficient path validation is the root cause.
CVE-2025-6755 was publicly disclosed on 2025-06-28. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the plugin's popularity. Active exploitation campaigns are not currently confirmed, but the vulnerability's severity and ease of exploitation suggest it could become a target.
Exploit Status
EPSS
1.21% (79% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-6755 is to upgrade the Game Users Share Buttons plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to filter AJAX requests to the ajaxDeleteTheme() function, specifically blocking requests containing relative paths (e.g., ../). Additionally, restrict file permissions on sensitive files like wp-config.php to prevent unauthorized access. After upgrade, confirm the vulnerability is resolved by attempting a file deletion request with a malicious path and verifying that it is blocked.
Update the Game Users Share Buttons plugin to the latest available version, as versions later than 1.3.0 include fixes for this vulnerability. Ensure you back up your website before updating any plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6755 is a vulnerability in the Game Users Share Buttons WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 1.0.0–1.3.0 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the Game Users Share Buttons plugin in versions 1.0.0 through 1.3.0. Check your plugin versions immediately to determine your exposure.
Upgrade the Game Users Share Buttons plugin to a patched version as soon as it's available. Until then, disable the plugin or implement a WAF rule to block malicious requests.
Active exploitation is not currently confirmed, but the vulnerability's severity and ease of exploitation suggest it could become a target. Monitor your systems for suspicious activity.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.