Game Users Share Buttons <= 1.3.0 - 认证 (订阅者+) 通过 themeNameId 参数实现任意文件删除

此漏洞的潜在影响非常严重。攻击者可以通过构造恶意的AJAX请求，利用ajaxDeleteTheme()函数中的文件路径验证不足，将任意文件路径（例如../../../../wp-config.php）添加到themeNameId参数中。成功利用此漏洞可能导致攻击者删除关键配置文件，甚至执行任意代码，从而完全控制受影响的WordPress站点。攻击者可以窃取敏感数据，篡改网站内容，或利用受感染的站点进行进一步的攻击。

Websites using the Game Users Share Buttons plugin, particularly those running vulnerable versions (1.0.0–1.3.0), are at risk. Shared hosting environments where multiple WordPress sites share the same server are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak file permissions or inadequate WAF protection are also at increased risk.

• wordpress / composer / npm:

grep -r "ajaxDeleteTheme" /var/www/html/wp-content/plugins/game-users-share-buttons/

• wordpress / composer / npm:

wp plugin list --status=inactive | grep 'game-users-share-buttons'

• wordpress / composer / npm:

curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=ajaxDeleteTheme&themeNameId=../../../../wp-config.php | grep -i '403 forbidden'

1. 2025-06-28Disclosure

   disclosure

1. 已保留2025-06-26
2. 发布日期2025-06-28
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即将Game Users Share Buttons插件升级到修复版本。如果无法立即升级，可以考虑以下临时缓解措施：首先，限制插件的访问权限，只允许授权用户访问相关功能。其次，实施严格的文件路径验证，确保插件无法访问或删除敏感文件。此外，可以使用Web应用程序防火墙（WAF）来检测和阻止恶意的AJAX请求。最后，定期审查WordPress站点的日志文件，以查找可疑活动。