Betheme WordPress Arbitrary File Upload RCE (CVE-2026-6261)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-434
Betheme WordPress Arbitrary File Upload RCE (CVE-2026-6261)

The Betheme theme for WordPress, in versions up to and including 28.4, is vulnerable to Arbitrary File Upload (CVE-2026-6261), as detailed by the National Vulnerability Database. The flaw resides in the upload_icons() function’s workflow. It moves and unzips user-controlled ZIP files into a public uploads directory without proper validation of the extracted file types.

This critical oversight allows authenticated attackers, specifically those with author-level access or higher, to upload arbitrary files. Critically, this includes PHP files. By exploiting the Icons icon-pack upload flow, attackers can achieve remote code execution (RCE) on affected WordPress sites. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH).

This isn’t just a theoretical risk; it’s a direct path to full system compromise. The attacker’s calculus is simple: gain a foothold through a low-privilege account, upload a shell, and take over the site. For defenders, this means any WordPress site running the vulnerable Betheme version is a prime target, regardless of how robust other security layers might be. This vulnerability bypasses typical web application firewalls if the initial authentication is legitimate.

What This Means For You

  • If your organization uses the Betheme theme for WordPress, you are exposed to remote code execution. Immediately verify your Betheme version. Patch to a secure version beyond 28.4. Also, review your WordPress user permissions, especially for author-level accounts, and audit server logs for suspicious file uploads in public directories.

Indicators of Compromise

IDTypeIndicator
CVE-2026-6261 RCE Betheme theme for WordPress versions <= 28.4
CVE-2026-6261 Arbitrary File Upload Betheme theme for WordPress: upload_icons() function
CVE-2026-6261 Arbitrary File Upload Betheme theme for WordPress: Icons icon-pack upload flow

Written by SCW Vulnerability Desk

🔎
Track WordPress Vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs, including WordPress vulnerabilities.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed

CVE-2026-7833 — A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 2 IOCs /⚙ 3 Sigma

IObit Advanced SystemCare 19: High-Severity Symlink Following Vulnerability (CVE-2026-7832)

CVE-2026-7832 — A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component...

vulnerabilityCVEhigh-severitycwe-59cwe-61
/SCW Vulnerability Desk /HIGH /7 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-30246 — Fiber is a web framework for Go. In

CVE-2026-30246 — Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma