cbcvebase.

Muffingroup Betheme vulnerabilities

21 known vulnerabilities affecting muffingroup/betheme.

Total CVEs
21
CISA KEV
0
Public exploits
0
Exploited in wild
7
Severity breakdown
HIGH8MEDIUM13

Vulnerabilities

Page 1 of 2
CVE-2022-45351P1MEDIUMCVSS 5.4Exploited≤ 26.6.1≥ n/a, ≤ 26.6.12024-03-25
CVE-2022-45351 [MEDIUM] CWE-862 CVE-2022-45351: Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a thro Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
nvd
CVE-2022-45363P2MEDIUMCVSS 5.4Exploited≤ 26.6.1≥ n/a, ≤ 26.6.12022-11-22
CVE-2022-45363 [MEDIUM] CWE-79 CVE-2022-45363: Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup Betheme theme <= 26.6.1 on Word Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup Betheme theme <= 26.6.1 on WordPress.
nvd
CVE-2022-45356P2HIGHCVSS 8.8Exploitedfixed in 26.6.3≥ n/a, ≤ 26.6.12024-03-25
CVE-2022-45356 [HIGH] CWE-862 CVE-2022-45356: Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a thro Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
nvd
CVE-2022-45349P2MEDIUMCVSS 4.3Exploited≤ 26.6.1≥ n/a, ≤ 26.6.12024-03-25
CVE-2022-45349 [MEDIUM] CWE-862 CVE-2022-45349: Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a thro Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
nvd
CVE-2022-45352P2MEDIUMCVSS 4.3Exploitedfixed in 26.6.3≥ n/a, ≤ 26.6.12024-03-25
CVE-2022-45352 [MEDIUM] CWE-862 CVE-2022-45352: Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a thro Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
nvd
CVE-2022-45077P2HIGHCVSS 8.8Exploitedfixed in 26.6≤ 26.5.1.42022-11-17
CVE-2022-45077 [HIGH] CWE-502 CVE-2022-45077: Auth. (subscriber+) PHP Object Injection vulnerability in Betheme theme <= 26.5.1.4 on WordPress. Auth. (subscriber+) PHP Object Injection vulnerability in Betheme theme <= 26.5.1.4 on WordPress.
nvd
CVE-2022-45353P2HIGHCVSS 8.1Exploited≤ 26.6.1≥ n/a, ≤ 26.6.12023-01-14
CVE-2022-45353 [HIGH] CWE-863 CVE-2022-45353: Broken Access Control in Betheme theme <= 26.6.1 on WordPress. Broken Access Control in Betheme theme <= 26.6.1 on WordPress.
nvd
CVE-2026-6261P2HIGHCVSS 8.8≤ 28.42026-05-05
CVE-2026-6261 [HIGH] CWE-434 CVE-2026-6261: The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and includ The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level ac
nvd
CVE-2024-2694P3HIGHCVSS 8.8≤ 27.5.62024-08-30
CVE-2024-2694 [HIGH] CWE-502 CVE-2024-2694: The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and inc The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulner
nvd
CVE-2022-3861P3HIGHCVSS 8.8fixed in 26.6≤ 26.5.1.42022-11-21
CVE-2022-3861 [HIGH] CWE-502 CVE-2022-3861: The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and includi The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard funct
nvd
CVE-2023-47770P3HIGHCVSS 7.6fixed in 27.1.22024-06-19
CVE-2023-47770 [HIGH] CWE-862 CVE-2023-47770: Missing Authorization vulnerability in Muffin Group Betheme.This issue affects Betheme: from n/a thr Missing Authorization vulnerability in Muffin Group Betheme.This issue affects Betheme: from n/a through 27.1.1.
nvd
CVE-2026-6262P3MEDIUMCVSS 6.5≤ 28.42026-05-05
CVE-2026-6262 [MEDIUM] CWE-22 CVE-2026-6262: The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and incl The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers,
nvd
CVE-2023-39998P3HIGHCVSS 7.2fixed in 27.1.2≥ n/a, ≤ 27.1.12024-06-19
CVE-2023-39998 [HIGH] CWE-862 CVE-2023-39998: Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a thro Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 27.1.1.
nvd
CVE-2025-9371P4MEDIUMCVSS 6.4≤ 28.1.62025-10-09
CVE-2025-9371 [MEDIUM] CWE-79 CVE-2025-9371: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ pa The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scr
nvd
CVE-2025-7399P4MEDIUMCVSS 6.4≤ 28.1.32025-08-06
CVE-2025-7399 [MEDIUM] CWE-79 CVE-2025-7399: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor displa The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that
nvd
CVE-2025-63075P4MEDIUMCVSS 6.5≤ 28.22025-12-09
CVE-2025-63075 [MEDIUM] CWE-79 CVE-2025-63075: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in muffingroup Betheme betheme allows DOM-Based XSS.This issue affects Betheme: from n/a through <= 28.2.
nvd
CVE-2024-5567P4MEDIUMCVSS 5.4fixed in 27.5.5≤ 27.5.52024-09-13
CVE-2024-5567 [MEDIUM] CWE-79 CVE-2024-5567: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute
nvd
CVE-2025-0450P4MEDIUMCVSS 5.4fixed in 27.6.2≤ 27.6.12025-01-21
CVE-2025-0450 [MEDIUM] CWE-79 CVE-2025-0450: The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custo The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject
nvd
CVE-2025-3077P4MEDIUMCVSS 5.4fixed in 28.0.4≤ 28.0.32025-04-16
CVE-2025-3077 [MEDIUM] CWE-79 CVE-2025-3077: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and abo
nvd
CVE-2023-29101P4MEDIUMCVSS 6.1≤ 26.7.5≥ n/a, ≤ 26.7.52023-05-10
CVE-2023-29101 [MEDIUM] CWE-79 CVE-2023-29101: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 ve Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 versions.
nvd
Muffingroup Betheme vulnerabilities | cvebase