Description
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
Published: 2025-06-28
Score: 8.8 High
EPSS: 1.2% Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

An attacker with Subscriber or higher privileges on a WordPress site can exploit the Game Users Share Buttons plugin by sending malicious AJAX requests to the ajaxDeleteTheme() endpoint. The plugin fails to validate the themeNameId parameter correctly, allowing the attacker to specify relative paths such as ../../../../wp-config.php. This flaw leads to arbitrary file deletion, which can in turn remove critical configuration files and enable remote code execution or deny‑of‑service conditions. The weakness is a classic path traversal vulnerability classified as CWE‑22.

Affected Systems

Any WordPress installation running Game Users Share Buttons versions 1.3.0 or earlier is affected. The vulnerability is triggered by authenticated users who have Subscriber level access or higher, and is only present when the plugin is active.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of 1% suggests a moderate probability of exploitation in the current market. The vulnerability is not listed in the CISA KEV catalog. An attacker must be logged in with at least Subscriber privileges and must be able to invoke the ajaxDeleteTheme() action, typically via the plugin’s admin interface or by crafting a custom HTTP request. Successful exploitation can delete configuration files such as wp-config.php, potentially leading to full site compromise.

Generated by OpenCVE AI on April 20, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Game Users Share Buttons plugin to a release newer than 1.3.0, which includes proper path validation for the ajaxDeleteTheme() endpoint.
  • If an upgrade is not immediately possible, deactivate the plugin to block access to the vulnerable AJAX function and prevent further file deletions.
  • Implement file‑integrity monitoring on critical assets like wp-config.php so that any unexpected removal or alteration is detected and alerted to the site administrator.

Generated by OpenCVE AI on April 20, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19576 The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
History

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gameusers
Gameusers game Users Share Button
CPEs cpe:2.3:a:gameusers:game_users_share_button:*:*:*:*:*:wordpress:*:*
Vendors & Products Gameusers
Gameusers game Users Share Button

Mon, 30 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Jun 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
Title Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gameusers Game Users Share Button
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:57.349Z

Reserved: 2025-06-26T22:17:54.592Z

Link: CVE-2025-6755

cve-icon Vulnrichment

Updated: 2025-06-30T18:32:50.116Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-28T06:15:23.910

Modified: 2025-07-07T14:37:41.387

Link: CVE-2025-6755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses