HIGH SeverityCVSS 3.18.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2026-6261

Last updated May 05, 2026 · Published May 05, 2026

Description

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.

Affected products

1 listed

MuffinGroup:Betheme

Mappings

CWE

CWE-434

CAPEC

None listed.

Research

File upload security: validation, isolation, and scanningInsecure file uploads are still one of the fastest paths to RCE. Validate type and size, store outside the web…

Guides

Secure File Uploads in Node.jsValidation, scanning, storage isolation, and safe serving patterns.

Training

CVE-2026-6261

Description

Affected products

Mappings

Related