Skip to main content
CVE Vulnerability Database

CVE-2025-6755: Game Users Share Button RCE Vulnerability

CVE-2025-6755 is a remote code execution vulnerability in the Game Users Share Button WordPress plugin allowing Subscriber-level attackers to delete critical files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6755 Overview

CVE-2025-6755 is an arbitrary file deletion vulnerability in the Game Users Share Buttons plugin for WordPress. The flaw affects all versions up to and including 1.3.0. The ajaxDeleteTheme() function fails to validate file paths supplied through the themeNameId parameter of an AJAX request. Authenticated attackers with Subscriber-level access can supply path traversal sequences such as ../../../../wp-config.php to delete arbitrary files on the server. Deleting critical WordPress files like wp-config.php forces the site into setup mode, which an attacker can leverage to achieve remote code execution. The vulnerability is tracked as CWE-22 (Path Traversal).

Critical Impact

Subscriber-level attackers can delete arbitrary files on the WordPress server, including wp-config.php, enabling site takeover and remote code execution.

Affected Products

  • Game Users Share Buttons WordPress Plugin — all versions through 1.3.0
  • WordPress installations with the plugin enabled and open user registration
  • Sites permitting Subscriber-level account creation

Discovery Timeline

  • 2025-06-28 - CVE-2025-6755 published to NVD
  • 2025-07-07 - Last updated in NVD database

Technical Details for CVE-2025-6755

Vulnerability Analysis

The Game Users Share Buttons plugin exposes an AJAX endpoint that invokes the ajaxDeleteTheme() function. This function accepts a themeNameId parameter from the request and uses it to construct a file path for deletion. The plugin does not sanitize the parameter or restrict deletion to a designated themes directory. As a result, attackers can supply directory traversal sequences to escape the intended directory and target any file readable by the web server process. The vulnerability requires only Subscriber-level authentication, which is the lowest privileged role in WordPress and is automatically granted on sites with open registration.

Root Cause

The root cause is insufficient file path validation in the ajaxDeleteTheme() function within game-users-share-buttons.php. The function trusts user-supplied input for the themeNameId parameter and concatenates it into a filesystem path without canonicalization or allowlist enforcement. There is no check ensuring the resolved path remains within the plugin's intended directory. The capability check on the AJAX handler is also too permissive, granting access to any authenticated user rather than restricting deletion operations to administrators. The plugin source at the affected line is available via the WordPress Plugin Source Code.

Attack Vector

An authenticated attacker sends a crafted AJAX POST request to the WordPress admin-ajax.php endpoint targeting the plugin's delete action. The attacker supplies a themeNameId parameter containing path traversal sequences such as ../../../../wp-config.php. The server resolves the traversal and deletes the targeted file. Once wp-config.php is removed, WordPress enters its installation flow, allowing the attacker to reconfigure the site to point at an attacker-controlled database and execute arbitrary PHP code. Further details are documented in the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-6755

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php containing themeNameId parameters with ../ or URL-encoded %2e%2e%2f traversal sequences
  • Missing or recently deleted wp-config.php, .htaccess, or core WordPress files in the webroot
  • Unexpected WordPress installation prompts when accessing the site root
  • New Subscriber accounts created shortly before file deletion events

Detection Strategies

  • Inspect web server access logs for AJAX requests referencing the plugin's delete action paired with traversal patterns in request bodies
  • Monitor file integrity on the WordPress root and wp-content directories for unauthorized deletions
  • Alert on HTTP requests where action parameters target plugin AJAX handlers from low-privilege authenticated sessions

Monitoring Recommendations

  • Enable WordPress audit logging to capture AJAX endpoint usage by user role
  • Deploy file integrity monitoring on wp-config.php and critical core files
  • Track creation of new Subscriber accounts followed by anomalous AJAX activity within short time windows

How to Mitigate CVE-2025-6755

Immediate Actions Required

  • Deactivate and remove the Game Users Share Buttons plugin until a patched version is released and verified
  • Disable open user registration or restrict the default new-user role to limit Subscriber account creation
  • Restore any deleted files from backups and rotate database credentials in wp-config.php if the file was removed
  • Review WordPress user accounts and remove unrecognized Subscriber-level users

Patch Information

At the time of NVD publication, no fixed version had been released. Monitor the WordPress Plugin Developer Page and the Wordfence Vulnerability Report for updates. Until a patch is available, removing the plugin is the recommended remediation.

Workarounds

  • Uninstall the Game Users Share Buttons plugin entirely if it is not business-critical
  • Apply web application firewall rules that block requests containing ../ sequences in the themeNameId parameter
  • Set the WordPress default registration role to a non-existent or restricted custom role to prevent Subscriber provisioning
  • Enforce read-only filesystem permissions on wp-config.php and core WordPress files where the deployment model allows
bash
# Example WAF rule (ModSecurity) blocking traversal in themeNameId
SecRule ARGS:themeNameId "@rx \.\./" \
  "id:1006755,phase:2,deny,status:403,\
  msg:'CVE-2025-6755 path traversal in Game Users Share Buttons themeNameId'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.