CVE-2026-6262

Name of the Vulnerable Software and Affected Versions Betheme versions prior to 28.5

Description The Betheme theme for WordPress allows authenticated attackers with contributor-level access and above to move or delete arbitrary local files via path traversal. This occurs because the upload icons() function uses a user-controlled upload path mfn-icon-upload in a filesystem move operation without restricting it to the uploads directory.

Recommendations Update to a version later than 28.4. As a temporary workaround, restrict access to the upload icons() function for users with contributor-level permissions.