Arbitrary File Upload Vulnerability in Betheme WordPress Theme by Muffin Group
CVE-2026-6261

8.8HIGH

Key Information:

Vendor: WordPress
Status: Betheme
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6261?

The Betheme theme developed by Muffin Group has a vulnerability that allows authenticated users with author-level access and above to upload arbitrary files. This occurs due to an improper handling of uploaded ZIP files in the upload_icons() function. The function fails to validate the file types extracted from user-controlled archives before moving them to a public uploads directory, allowing for potential remote code execution. Attackers can exploit this vulnerability to execute malicious code on compromised WordPress sites, posing significant risks to site integrity and security.

Affected Version(s)

Betheme 0 <= 28.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://support.muffingroup.com/changelog/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Craig Smith

Leonid Semenenko

CVE-2026-6261 Data

JSON