Description
Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to inject malicious scripts into a victim’s browser when viewing a specific page or component of the affected WordPress theme. The flaw resides in the Kapee theme’s data rendering logic, permitting arbitrary client‑side code execution that can lead to credential theft, session hijacking, defacement, or malware delivery. The weakness is a classic unchecked input handling flaw, classified as CWE‑79.

Affected Systems

WordPress installations using the PressLayouts Kapee theme versions older than 1.7.1 are affected. Any site that has not upgraded beyond these versions remains vulnerable.

Risk and Exploitability

The CVSS score of 7.1 places this issue in the high‑severity range, while the EPSS score is not disclosed, suggesting limited public exploitation data. It is not currently listed in the CISA KEV catalog. The most likely attack vector is web‑based, where a visitor to a compromised site can trigger the XSS by loading a page that contains the vulnerable content or by submitting malicious input through a form that the theme does not properly sanitize. Active exploitation would require no authentication, making the risk higher for public sites.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Remediation

Vendor Solution

Update the WordPress Kapee Theme to the latest available version (at least 1.7.1).


OpenCVE Recommended Actions

  • Update the Kapee Theme to version 1.7.1 or later, which contains the fixed input validation logic.
  • Validate and escape any user‑supplied content that may be rendered by the theme using WordPress’s built‑in sanitization functions before it is output.
  • Enable a Web Application Firewall or a security plugin that blocks reflected XSS payloads and monitor site traffic for suspicious requests.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Presslayouts
Presslayouts kapee
Wordpress
Wordpress wordpress
Vendors & Products Presslayouts
Presslayouts kapee
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.
Title WordPress Kapee theme < 1.7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Presslayouts Kapee
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:45.750Z

Reserved: 2026-04-21T12:35:51.612Z

Link: CVE-2026-41557

cve-icon Vulnrichment

Updated: 2026-06-17T13:30:33.553Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')