What the vulnerability does
01Description
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.
Explanation of Vulnerability in Simple Terms
02Summary
Betheme versions up to 28.4 contain a path traversal vulnerability that allows authenticated users to read or modify files outside the intended directory. An attacker with low-level site access can exploit this to access sensitive configuration files or overwrite critical site data. Update to a version newer than 28.4 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read or modify files outside the intended directory on the site.
Potential impact on your site
04Site Impact
Sensitive files could be exposed or overwritten by users with basic site access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
May 5, 2026
CVE published
May 5, 2026
Record updated