CVE-2025-6755: 
WordPress vulnerability analysis and mitigation

The Game Users Share Buttons plugin for WordPress (versions up to and including 1.3.0) contains a vulnerability identified as CVE-2025-6755. The vulnerability was discovered and disclosed on June 27, 2025, and was published to the NVD database on June 28, 2025. This security issue affects the ajaxDeleteTheme() function in the plugin, which lacks proper file path validation (Wiz Database).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue, identified as CWE-22. It has received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows attackers with Subscriber-level access to manipulate the themeNameId parameter in AJAX requests to include arbitrary file paths, such as '../../../../wp-config.php' (NVD).

The vulnerability can lead to arbitrary file deletion on the affected WordPress installation. When successfully exploited, this can be leveraged to achieve remote code execution on the target system. The high CVSS score indicates that the vulnerability has significant potential impact on the confidentiality, integrity, and availability of the affected system (Wiz Database).

The plugin has been temporarily closed as of June 26, 2025, pending a full security review. Users are advised to remove the plugin until a patched version becomes available (WordPress Plugin).