VulnTitan VulnTitan Security command center
Theme Vulnerability Hub
Theme 21 known issues Latest disclosed May 04, 2026

Betheme Vulnerabilities

Review known vulnerability records for the WordPress theme Betheme (`betheme`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6261, CVE-2026-6262 and CVE-2025-9371, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
21
High or Critical
5
Patch Coverage
100%
Last Updated
May 04, 2026
Related Security Guides

Use these guides while reviewing Betheme fixes

Pair this theme vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening
WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.
Plugin Security
WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.
Scanning
WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.
Patch Decision Workflow

How to prioritize Betheme remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records
21
1. Match the Package
Confirm the installed WordPress theme slug is betheme before acting on any CVE from this cluster.
2. Sort by Severity
Start with 5 high or critical records, then review medium and unrated findings with public references.
3. Check Patch Evidence
21 records include a patch path; verify compatibility before closing the finding.
4. Monitor Gaps
0 records still lack a listed fixed release, so keep this hub in the review queue.
High-Signal Remediation Targets
CVE-2026-6261 High
Remote Code Execution remediation for Betheme

Affected range: Versions up to 28.4. Fixed version: 28.4.1.

CVE-2024-2694 High
Vulnerability remediation for Betheme

Affected range: Versions up to 27.5.6. Fixed version: 27.5.7.

CVE-2022-45356 High
Authorization Bypass remediation for Betheme

Affected range: Versions up to 26.6.1. Fixed version: 26.6.3.

CVE-2022-3861 High
Vulnerability remediation for Betheme

Affected range: Versions up to 26.5.1.4. Fixed version: 26.6.

Priority CVE Quick Links

Fast paths into Betheme CVE reports

Start with the highest-signal CVE records for this WordPress theme before scanning the full vulnerability feed.

Indexed CVEs
21
Tracked CVE Issue Type Affected Versions Fixed Version CVSS
CVE-2026-6261
Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execu...
 Remote Code Execution Versions up to 28.4 28.4.1 CVSS 8.8
CVE-2024-2694
Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object Injection
 Vulnerability Versions up to 27.5.6 27.5.7 CVSS 8.8
CVE-2022-45356
Betheme <= 26.6.2 - Missing Authorization Check on Core Functionality
 Authorization Bypass Versions up to 26.6.1 26.6.3 CVSS 8.8
CVE-2022-3861
Betheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection
 Vulnerability Versions up to 26.5.1.4 26.6 CVSS 8.8
CVE-2022-45077
Betheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection
 Vulnerability Versions up to 26.5.1.4 26.6 CVSS 8.8
CVE-2026-6262
Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon...
 Vulnerability Versions up to 28.4 28.4.1 CVSS 6.5
CVE-2023-39998
Betheme <= 27.1.1 - Missing Authorization via '_tool_history_delete'
 Vulnerability Versions up to 27.1.1 27.1.2 CVSS 6.5
CVE-2025-9371
Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'pa...
 Stored Cross-Site Scripting Versions up to 28.1.6 28.1.7 CVSS 6.4
CVE-2026-6261 High 28.4.1
CVE-2026-6261 Betheme Remote Code Execution

Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload

CVE-2024-2694 High 27.5.7
CVE-2024-2694 Betheme Vulnerability

Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object Injection

CVE-2022-45356 High 26.6.3
CVE-2022-45356 Betheme Authorization Bypass

Betheme <= 26.6.2 - Missing Authorization Check on Core Functionality

CVE-2022-3861 High 26.6
CVE-2022-3861 Betheme Vulnerability

Betheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection

CVE-2022-45077 High 26.6
CVE-2022-45077 Betheme Vulnerability

Betheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection

CVE-2026-6262 Medium 28.4.1
CVE-2026-6262 Betheme Vulnerability

Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'

CVE-2023-39998 Medium 27.1.2
CVE-2023-39998 Betheme Vulnerability

Betheme <= 27.1.1 - Missing Authorization via '_tool_history_delete'

CVE-2025-9371 Medium 28.1.7
CVE-2025-9371 Betheme Stored Cross-Site Scripting

Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title'

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Betheme so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
21 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 5 high severity findings.
Recent CVEs
CVE-2026-6261, CVE-2026-6262 and CVE-2025-9371
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Betheme

Sorted by latest disclosure date so newly published issues surface first.

Theme High Patched: Yes CVE-2026-6261
CVE-2026-6261: Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file type...

Published
May 04, 2026
Patched Release
28.4.1
Affected Versions
Versions up to 28.4
Next Step
Update to 28.4.1 or newer if supported.
Review CVE-2026-6261 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2026-6262
CVE-2026-6262: Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'

The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to t...

Published
May 04, 2026
Patched Release
28.4.1
Affected Versions
Versions up to 28.4
Next Step
Update to 28.4.1 or newer if supported.
Review CVE-2026-6262 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2025-9371
CVE-2025-9371: Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title'

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attac...

Published
Oct 08, 2025
Patched Release
28.1.7
Affected Versions
Versions up to 28.1.6
Next Step
Update to 28.1.7 or newer if supported.
Review CVE-2025-9371 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2025-63075
CVE-2025-63075: Betheme <= 28.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 28.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a...

Published
Oct 06, 2025
Patched Release
28.2.1
Affected Versions
Versions up to 28.2
Next Step
Update to 28.2.1 or newer if supported.
Review CVE-2025-63075 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2025-7399
CVE-2025-7399: Betheme <= 28.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribu...

Published
Aug 05, 2025
Patched Release
28.1.4
Affected Versions
Versions up to 28.1.3
Next Step
Update to 28.1.4 or newer if supported.
Review CVE-2025-7399 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2025-3077
CVE-2025-3077: Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it p...

Published
Apr 15, 2025
Patched Release
28.0.4
Affected Versions
Versions up to 28.0.3
Next Step
Update to 28.0.4 or newer if supported.
Review CVE-2025-3077 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2025-0450
CVE-2025-0450: Betheme <= 27.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS

The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for a...

Published
Jan 20, 2025
Patched Release
27.6.2
Affected Versions
Versions up to 27.6.1
Next Step
Update to 27.6.2 or newer if supported.
Review CVE-2025-0450 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2024-5567
CVE-2024-5567: Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level ac...

Published
Sep 12, 2024
Patched Release
27.5.6
Affected Versions
Versions up to 27.5.5
Next Step
Update to 27.5.6 or newer if supported.
Review CVE-2024-5567 fixed version details Open CVE Reference
Theme Medium Patched: No CVE-2024-3998
CVE-2024-3998: Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 27.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...

Published
Aug 29, 2024
Patched Release
Not published
Affected Versions
Versions up to 27.5.6
Next Step
Open the full report for remediation notes and references.
Review CVE-2024-3998 fixed version details Open CVE Reference
Theme High Patched: Yes CVE-2024-2694
CVE-2024-2694: Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object Injection

The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and...

Published
Aug 29, 2024
Patched Release
27.5.7
Affected Versions
Versions up to 27.5.6
Next Step
Update to 27.5.7 or newer if supported.
Review CVE-2024-2694 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2023-47770
CVE-2023-47770: Betheme <= 27.1.1 - Missing Authorization

The Betheme theme for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on one of its functions in versions up to, and including, 27.1.1. This makes it possible for authenticated attackers, with contributor-level access and above, t...

Published
Nov 14, 2023
Patched Release
27.1.2
Affected Versions
Versions up to 27.1.1
Next Step
Update to 27.1.2 or newer if supported.
Review CVE-2023-47770 fixed version details Open CVE Reference
Theme Medium Patched: Yes CVE-2023-39998
CVE-2023-39998: Betheme <= 27.1.1 - Missing Authorization via '_tool_history_delete'

The Betheme theme for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '_tool_history_delete' AJAX function in versions up to, and including, 27.1.1. This makes it possible for authenticated attackers, with author-level access and abov...

Published
Aug 10, 2023
Patched Release
27.1.2
Affected Versions
Versions up to 27.1.1
Next Step
Update to 27.1.2 or newer if supported.
Review CVE-2023-39998 fixed version details Open CVE Reference