Description
The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
Published: 2025-06-28
Score: 8.8 High
EPSS: 3.2% Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

An attacker who is authenticated as a Subscriber or higher on a WordPress site can exploit the Game Users Share Buttons plugin by sending a crafted AJAX request to the ajaxDeleteTheme() endpoint. The plugin does not validate the themeNameId parameter, so the attacker can supply arbitrary relative paths such as ../../../../wp-config.php. This path traversal allows the attacker to delete arbitrary files on the server, including critical configuration files that can lead to remote code execution. The weakness is classified as CWE‑22.

Affected Systems

WordPress installations that have the Game Users Share Buttons plugin version 1.3.0 or earlier are affected. The vulnerability is triggered only when the plugin is active and the attacker has at least Subscriber level access. It does not impact sites that have upgraded beyond 1.3.0 or have disabled the plugin.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of 3% suggests a moderate likelihood of exploitation in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. An attacker must be logged in with Subscriber privileges and must be able to invoke the ajaxDeleteTheme() action, typically via the plugin’s admin interface or by crafting a custom HTTP request. Successful exploitation can delete files such as wp-config.php, potentially granting the attacker remote code execution capabilities.

Generated by OpenCVE AI on April 29, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Game Users Share Buttons plugin to a release newer than 1.3.0, which includes proper path validation for the ajaxDeleteTheme() endpoint.
  • If an upgrade is not immediately possible, deactivate the plugin to block access to the vulnerable AJAX function and prevent further file deletions.
  • Implement file‑integrity monitoring on critical assets such as wp-config.php so that any unexpected removal or alteration is detected and alerted to the site administrator.

Generated by OpenCVE AI on April 29, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19576 The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
History

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gameusers
Gameusers game Users Share Button
CPEs cpe:2.3:a:gameusers:game_users_share_button:*:*:*:*:*:wordpress:*:*
Vendors & Products Gameusers
Gameusers game Users Share Button

Mon, 30 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Jun 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution.
Title Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gameusers Game Users Share Button
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:57.349Z

Reserved: 2025-06-26T22:17:54.592Z

Link: CVE-2025-6755

cve-icon Vulnrichment

Updated: 2025-06-30T18:32:50.116Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-28T06:15:23.910

Modified: 2025-07-07T14:37:41.387

Link: CVE-2025-6755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses