Introduction
A missing file type validation in Betheme's icon pack upload workflow lets any authenticated WordPress user with Author privileges drop a PHP webshell into a publicly accessible directory and execute it remotely. With over 325,000 active Betheme installations and more than 334,000 total sales on ThemeForest, the potential blast radius of CVE-2026-6261 is substantial.
Betheme is a commercial responsive multipurpose WordPress and WooCommerce theme developed by MuffinGroup. It is one of the top selling themes on the Envato ThemeForest marketplace, widely used across agencies, small businesses, and enterprise marketing sites. Its broad adoption across the WordPress ecosystem makes vulnerabilities in this theme particularly consequential.
Technical Information
Root Cause
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS score of 8.8. The root cause lies in the upload_icons() function within the Betheme theme. This function handles the uploading of custom icon packs and follows a workflow that moves a user supplied ZIP archive to the WordPress uploads directory, then extracts its contents into a publicly accessible path. Critically, no validation is performed on the file types inside the ZIP after extraction. The function trusts the contents of the archive entirely, which means any file type, including .php, is written to disk in a location directly reachable via HTTP.
Attack Flow
-
Obtain Author level access. The attacker needs an authenticated WordPress session with at least Author privileges. This role is commonly assigned to content creators, marketing personnel, and external contributors, so compromised or malicious accounts at this level are a realistic scenario.
-
Craft a malicious ZIP archive. The attacker creates a ZIP file containing a PHP webshell (or any other executable PHP script), optionally alongside legitimate icon font files to avoid casual inspection.
-
Upload via the icon pack workflow. The attacker uses Betheme's Icons icon pack upload flow to submit the crafted ZIP. The
upload_icons()function accepts the archive without inspecting its contents. -
Automatic extraction to a public directory. The function moves the ZIP to the WordPress uploads directory and extracts all files. Because there is no allowlist or blocklist check on extracted file extensions, the PHP file is written to disk in
wp-content/uploads/(or a subdirectory thereof). -
Execute the webshell. The attacker navigates to the URL of the extracted PHP file. Since the file resides in a publicly accessible directory, the web server executes it, granting the attacker remote code execution on the underlying server.
Discovery and Disclosure Timeline
The vulnerability was discovered by researchers Webbernaut and Leonid Semenenko. MuffinGroup released Betheme version 28.4 on April 9, 2026. The patched version 28.4.1 followed on April 20, 2026, and a regression fix (28.4.1.1) shipped on April 21, 2026. Wordfence published the vulnerability details and assigned the CVE on May 4, 2026, meaning the patch was available roughly two weeks before full public disclosure.
Patch Information
MuffinGroup addressed CVE-2026-6261 in Betheme version 28.4.1, released on April 20, 2026, with a quick follow up in version 28.4.1.1 on April 21, 2026. The latter release fixes a PHP Fatal Error that the initial patch introduced on non WooCommerce sites.
The fix in version 28.4.1 hardens the upload_icons() code path by introducing file type validation on the contents extracted from the uploaded ZIP archive. After decompression, the patched code checks each extracted file against an allowlist of safe file extensions: .css, .eot, .svg, .ttf, .woff, .woff2, and .json. These are the expected icon font asset types. Any file that does not match the permitted types is rejected and removed before it can be written to the public uploads directory, effectively closing the arbitrary file upload vector.
Because Betheme is a commercial theme distributed through ThemeForest and the Muffin Group dashboard (not an open source repository), no public code diff or commit is available for inspection. However, the Wordfence advisory explicitly confirms the patched status: the remediation is to "Update to version 28.4.1, or a newer patched version."
The current recommended target for updates is 28.4.1.1, which resolves both the security vulnerability and the regression introduced by the initial security patch. Site administrators running Betheme should update immediately through the WordPress dashboard or by downloading the latest version from ThemeForest. If the vulnerable version was deployed at any point, it is advisable to audit the wp-content/uploads/ directory for any unexpected .php files that may have been planted via this attack vector before the update was applied.
Affected Systems and Versions
All installations of the Betheme WordPress theme running version 28.4 or earlier are affected. This includes every release in the version history up to and including 28.4.
The vulnerability requires:
- An active Betheme theme installation on WordPress
- At least one user account with Author, Editor, or Administrator role privileges
- The icon pack upload functionality to be accessible (which it is by default for these roles)
The fixed versions are:
- 28.4.1 (April 20, 2026): initial security patch
- 28.4.1.1 (April 21, 2026): security patch plus regression fix for non WooCommerce sites (recommended update target)
Vendor Security History
Wordfence tracks 21 distinct vulnerabilities for the Betheme theme, indicating a pattern that warrants ongoing vigilance. Notable historical vulnerabilities include:
| Year | CVE ID | Vulnerability Type | Auth Level | CVSS |
|---|---|---|---|---|
| 2026 | CVE-2026-6261 | Arbitrary File Upload to RCE | Author+ | 8.8 |
| 2024 | CVE-2024-2694 | Authenticated PHP Object Injection | Contributor+ | 8.8 |
| 2023 | CVE-2023-39998 | Missing Authorization | Unknown | 6.5 |
| 2023 | CVE-2023-29101 | Reflected Cross Site Scripting | Unknown | 6.1 |
The recurring themes across these vulnerabilities, particularly around authorization checks and file handling, suggest that organizations using Betheme should treat theme updates as a regular security maintenance activity rather than an occasional task.
