Description
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.
Published: 2026-05-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Betheme theme includes a flaw in the upload_icons() workflow that allows an authenticated WordPress user with contributor-level access or higher to specify a custom upload path (mfn-icon-upload) that bypasses directory restrictions, leading to arbitrary deletion of local files via a filesystem move operation. This results in loss of data, site disruption, and potential exposure of critical files, representing a file deletion vulnerability (CWE-22).

Affected Systems

MuffinGroup Betheme theme for WordPress, versions 28.4 and earlier. Any site using these versions is susceptible.

Risk and Exploitability

The severity score of 6.5 indicates moderate risk. Explicitly, the exploit relies on authentication. An attacker who can log in with contributor privileges can conduct the deletion by submitting a crafted upload request through the theme's admin interface, using the mfn-icon-upload path. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, but the lack of public exploitation does not eliminate risk if the user base still uses vulnerable versions.

Generated by OpenCVE AI on May 5, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Betheme to the latest version that resolves the upload path validation flaw
  • If immediate upgrade is not feasible, disable or remove the upload_icons() function or configure it to restrict upload paths to the uploads directory
  • Regularly review server logs for unexpected file deletion or movement activity

Generated by OpenCVE AI on May 5, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Muffingroup
Muffingroup betheme
Wordpress
Wordpress wordpress
Vendors & Products Muffingroup
Muffingroup betheme
Wordpress
Wordpress wordpress

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.
Title Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Muffingroup Betheme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T14:12:36.587Z

Reserved: 2026-04-14T00:02:04.206Z

Link: CVE-2026-6262

cve-icon Vulnrichment

Updated: 2026-05-05T13:49:07.326Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:21.590

Modified: 2026-05-05T12:16:21.590

Link: CVE-2026-6262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:15:15Z

Weaknesses