Cyber Posture

CVE-2026-6261

High

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 46.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted…

more

file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediating the flaw in the upload_icons() function by patching Betheme theme versions up to 28.4 directly prevents arbitrary file uploads and subsequent RCE.

SI-10 Information Input Validation good match
prevent

Implementing input validation mechanisms for user-controlled ZIP files and extracted contents addresses the core issue of lacking file type validation in the icon-pack upload workflow.

AC-6 Least Privilege partial match
prevent

Enforcing least privilege restricts author-level and higher access, reducing the attack surface for authenticated exploitation of the upload feature.

Security SummaryAI

CVE-2026-6261 is an arbitrary file upload vulnerability in the Betheme theme for WordPress, affecting versions up to and including 28.4. The flaw arises in the upload_icons() function workflow, which moves and unzips user-controlled ZIP files into a public uploads directory without validating the types of extracted files. This vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with author-level access or higher can exploit the vulnerability via the Icons icon-pack upload flow. By supplying a malicious ZIP file containing arbitrary files, such as PHP code, they can place executable content in the public directory, enabling remote code execution on the targeted WordPress site.

Advisories and patch information are detailed in the Muffin Group changelog at https://support.muffingroup.com/changelog/ and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve, published on 2026-05-05.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Arbitrary file upload vuln in public-facing WordPress directly enables exploitation of the web app (T1190) to upload/execute PHP web shell (T1505.003) and transfer malicious files (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References