CVE-2025-6755 in Game Users Share Buttons Plugin
Summary
by MITRE • 06/28/2025
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2025
The vulnerability identified as CVE-2025-6755 affects the Game Users Share Buttons plugin for WordPress, representing a critical security flaw that undermines the integrity of WordPress installations. This vulnerability exists within the ajaxDeleteTheme() function, which processes AJAX requests related to theme deletion operations. The flaw manifests through inadequate input validation mechanisms that fail to properly sanitize or validate file paths submitted by users. Attackers exploiting this vulnerability can manipulate the themeNameId parameter to include malicious file path traversal sequences, thereby gaining unauthorized access to critical system files.
The technical implementation of this vulnerability stems from a lack of proper parameter validation and sanitization within the plugin's AJAX handling mechanism. When the ajaxDeleteTheme() function processes incoming requests, it directly incorporates user-supplied data into file system operations without adequate verification of the file paths. This creates a path traversal condition that allows attackers to navigate beyond the intended directory boundaries. The vulnerability is particularly concerning because it operates at the subscriber level, meaning that even users with minimal privileges can exploit this flaw to potentially execute arbitrary code on the affected WordPress installation.
The operational impact of this vulnerability extends far beyond simple file deletion capabilities. An attacker with subscriber-level access can leverage this flaw to target sensitive configuration files such as wp-config.php, which contains database credentials and cryptographic keys essential for system security. The ability to delete or modify such critical files can lead to complete system compromise, data exfiltration, or service disruption. This vulnerability essentially provides a backdoor mechanism that bypasses normal WordPress security controls, allowing unauthorized users to escalate their privileges and potentially gain full administrative control over the affected site.
The security implications of CVE-2025-6755 align with CWE-22, which describes path traversal vulnerabilities that occur when applications fail to properly validate file paths. This weakness creates an environment where attackers can manipulate file access operations to target unintended files and directories. The vulnerability also maps to ATT&CK technique T1059, which involves executing malicious code through various attack vectors, including the exploitation of web application vulnerabilities. The attack surface is further expanded by the fact that this vulnerability affects all versions up to and including 1.3.0, indicating a long-standing flaw that has not been adequately addressed.
Mitigation strategies for this vulnerability must include immediate plugin updates to versions that address the path traversal issue. System administrators should implement network-level restrictions to prevent unauthorized access to AJAX endpoints, particularly those that handle file operations. Additionally, implementing proper input validation and sanitization mechanisms can prevent malicious path traversal attempts. The WordPress security community should also consider implementing additional monitoring for unusual file access patterns and unauthorized deletion attempts. Regular security audits of third-party plugins and themes remain essential to identify similar vulnerabilities that could provide attackers with similar access vectors. Organizations should also implement principle of least privilege controls to limit the potential impact of such vulnerabilities by restricting user permissions and access rights within their WordPress installations.