CVE-2026-6262
Arbitrary File Deletion in Betheme WordPress Theme
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| muffingroup | betheme | to 28.4 (inc) |
| muffingroup | betheme | 28.4.1.1 |
| betheme | betheme | to 28.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with contributor-level access and above to delete arbitrary local files via path traversal. This could lead to unauthorized modification or deletion of sensitive data stored on the server.
Such unauthorized file deletion could impact compliance with standards like GDPR and HIPAA, which require protection of data integrity and availability. If sensitive personal or health data is deleted or tampered with, it may result in violations of these regulations.
However, the provided information does not explicitly detail the compliance impact or any direct references to regulatory requirements.
Can you explain this vulnerability to me?
The Betheme theme for WordPress has a vulnerability called Arbitrary File Deletion in versions up to and including 28.4. This occurs because the upload_icons() function uses a user-controlled upload path without restricting it to the uploads directory. As a result, authenticated users with contributor-level access or higher can perform path traversal to move or delete arbitrary local files on the server.
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access or higher to delete or move arbitrary files on the server. This can lead to loss or tampering of important files, potentially disrupting website functionality or causing data loss. Since the attacker does not need high privileges, the risk is significant for sites that allow contributor-level users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Arbitrary File Deletion vulnerability in the Betheme WordPress theme, you should immediately update the theme to version 28.4.1.1 or later, where this issue has been fixed.
Additionally, restrict contributor-level and higher user permissions carefully, as the vulnerability requires authenticated users with contributor-level access or above.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the upload_icons() function in the Betheme WordPress theme allowing authenticated users with contributor-level access or higher to perform arbitrary file deletion via path traversal.
To detect exploitation attempts or presence of this vulnerability on your system, you can monitor web server logs for suspicious requests containing the parameter 'mfn-icon-upload' with path traversal patterns such as '../' sequences.
Example commands to search for such suspicious requests in Apache or Nginx access logs:
- grep -i 'mfn-icon-upload' /var/log/apache2/access.log | grep '\.\./'
- grep -i 'mfn-icon-upload' /var/log/nginx/access.log | grep '\.\./'
Additionally, you can scan your WordPress installation for the Betheme version. Versions up to and including 28.4 are vulnerable, so verifying the theme version can help identify if your system is at risk.
To check the Betheme version, you can look into the style.css file inside the theme directory or use WP-CLI commands if available.
- grep 'Version' wp-content/themes/betheme/style.css
- wp theme list --status=active