4 matches found
CVE-2026-6261 Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload
The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the uploadicons function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it...
CVE-2026-6261
The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the uploadicons function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it...
CVE-2026-6261 Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload
The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the uploadicons function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it...
CVE-2026-6261
The Betheme theme for WordPress (up to version 28.4) is vulnerable to Arbitrary File Upload via the upload_icons workflow. The root cause is that user-controlled ZIPs are moved and unzip’ed into a public uploads directory without validating extracted file types. Authenticated attackers with autho...