CVE-2026-6262 MEDIUM

CVE-2026-6262: Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'

Vendor Muffingroup
Product Betheme
Weakness CWE-22 · Path traversal
Published May 5, 2026
Last update May 5, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.

Explanation of Vulnerability in Simple Terms

02Summary

Betheme versions up to 28.4 contain a path traversal vulnerability that allows authenticated users to read or modify files outside the intended directory. An attacker with low-level site access can exploit this to access sensitive configuration files or overwrite critical site data. Update to a version newer than 28.4 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read or modify files outside the intended directory on the site.

Potential impact on your site

04Site Impact

Sensitive files could be exposed or overwritten by users with basic site access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

May 5, 2026 CVE published
May 5, 2026 Record updated