Cyber Resilience

CVE-2026-6261

High

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6261 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Muffingroup (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6261 is an arbitrary file upload vulnerability in the Betheme theme for WordPress, affecting versions up to and including 28.4. The flaw arises in the upload_icons() function workflow, which moves and unzips user-controlled ZIP files into a public uploads directory without validating the types of extracted files. This vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with author-level access or higher can exploit the vulnerability via the Icons icon-pack upload flow. By supplying a malicious ZIP file containing arbitrary files, such as PHP code, they can place executable content in the public directory, enabling remote code execution on the targeted WordPress site.

Advisories and patch information are detailed in the Muffin Group changelog at https://support.muffingroup.com/changelog/ and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve, published on 2026-05-05.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted…

more

file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Arbitrary file upload vuln in public-facing WordPress directly enables exploitation of the web app (T1190) to upload/execute PHP web shell (T1505.003) and transfer malicious files (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26325Shared CWE-434
CVE-2025-66256Shared CWE-434
CVE-2025-1025Shared CWE-434
CVE-2016-15043Shared CWE-434
CVE-2024-13448Shared CWE-434
CVE-2024-13333Shared CWE-434
CVE-2013-10040Shared CWE-434
CVE-2026-32523Shared CWE-434
CVE-2025-6423Shared CWE-434
CVE-2025-7063Shared CWE-434

Affected Assets

Muffingroup
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw in the upload_icons() function by patching Betheme theme versions up to 28.4 directly prevents arbitrary file uploads and subsequent RCE.

prevent

Implementing input validation mechanisms for user-controlled ZIP files and extracted contents addresses the core issue of lacking file type validation in the icon-pack upload workflow.

prevent

Enforcing least privilege restricts author-level and higher access, reducing the attack surface for authenticated exploitation of the upload feature.

References