Arbitrary File Deletion Vulnerability in Betheme for WordPress by Muffin Group
CVE-2026-6262

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Betheme
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6262?

The Betheme theme for WordPress contains a vulnerability that allows for Arbitrary File Deletion. An issue arises from the upload_icons() function, which utilizes a user-defined upload path (mfn-icon-upload) without proper restrictions to the designated uploads directory. This flaw enables authenticated attackers, including those with contributor-level access or higher, to execute a path traversal attack that can result in the unauthorized movement or deletion of local files.

Affected Version(s)

Betheme 0 <= 28.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://support.muffingroup.com/changelog/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Craig Smith

Leonid Semenenko

CVE-2026-6262 Data

JSON