CVE-2026-6261

Name of the Vulnerable Software and Affected Versions Betheme versions prior to 28.5

Description The Betheme theme for WordPress allows authenticated attackers with author-level access or higher to upload arbitrary files, including PHP scripts. This occurs because the upload icons() function moves and unzips user-controlled ZIP files into a public uploads directory without validating the types of the extracted files. This flaw can lead to remote code execution via the Icons icon-pack upload flow.

Recommendations Update to a version later than 28.4. As a temporary workaround, restrict access to the Icons icon-pack upload flow for users with author-level permissions.