Impact
This vulnerability allows an unauthenticated attacker to inject malicious scripts into a victim’s browser when viewing a specific page or component of the affected WordPress theme. The flaw resides in the Kapee theme’s data rendering logic, permitting arbitrary client‑side code execution that can lead to credential theft, session hijacking, defacement, or malware delivery. The weakness is a classic unchecked input handling flaw, classified as CWE‑79.
Affected Systems
WordPress installations using the PressLayouts Kapee theme versions older than 1.7.1 are affected. Any site that has not upgraded beyond these versions remains vulnerable.
Risk and Exploitability
The CVSS score of 7.1 places this issue in the high‑severity range, while the EPSS score is not disclosed, suggesting limited public exploitation data. It is not currently listed in the CISA KEV catalog. The most likely attack vector is web‑based, where a visitor to a compromised site can trigger the XSS by loading a page that contains the vulnerable content or by submitting malicious input through a form that the theme does not properly sanitize. Active exploitation would require no authentication, making the risk higher for public sites.
OpenCVE Enrichment