CVE-2025-6755 HIGH

CVE-2025-6755: Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter

Vendor Gameusers
Product Game Users Share Buttons
Weakness CWE-22 · Path traversal
Published June 28, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

Game Users Share Buttons versions 1.3.0 and earlier contain a path traversal vulnerability that allows authenticated users to read arbitrary files from the server. An attacker with low-level access can bypass directory restrictions and access sensitive files outside the intended application directory. This affects confidentiality, integrity, and availability of the affected system.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete arbitrary files on the server outside the intended application directory.

Potential impact on your site

04Site Impact

Sensitive files (config, database credentials, private keys) may be exposed, modified, or deleted by authenticated attackers.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account or authenticated session on the site.

Key dates

06Disclosure timeline

June 28, 2025 CVE published
April 8, 2026 Record updated