CVE-2025-6755
Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
| CWE | CWE-22 |
| Vendor | gameusers |
| Product | game users share buttons |
| Published | Jun 28, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for gameusers game users share buttons
Be the first to know when new high vulnerabilities affecting gameusers game users share buttons are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
gameusers / Game Users Share Buttons
0 โค 1.3.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f861ece5-21e4-4c7f-8701-bd9492b1b8bf?source=cve wordpress.org: https://wordpress.org/plugins/game-users-share-buttons/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/game-users-share-buttons/tags/1.3.0/game-users-share-buttons.php#L638
Credits
Youcef Hamdani