What is the CVSS score of CVE-2026-41557?

CVE-2026-41557 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.2%.

Which versions of Kapee WordPress Theme are affected by CVE-2026-41557?

The Kapee WordPress theme (versions prior to 1.7.1) contains a cross-site scripting vulnerability (CVSS 7.1) that allows unauthenticated attackers to inject malicious scripts into your website.. A patch is available.

How to fix or mitigate CVE-2026-41557?

Within 24 hours: Audit your WordPress installation to identify if Kapee theme is deployed and confirm current version; create full backup. Within 7 days: Either deactivate Kapee theme entirely and switch to an alternative (primary recommendation), or implement Web Application Firewall rules to block XSS payloads if immediate theme removal is not feasible. Within 30 days: Monitor Patchstack and WordPress.org security advisories for Kapee version 1.7.1 or later release; test patch in staging environment and schedule controlled upgrade.

Kapee WordPress Theme CVE-2026-41557

EUVD-2026-37606 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-17 Patchstack

XSS Kapee

7.1

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

7.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

vuln.today AI

7.1 HIGH

Network-reachable WordPress theme, no attacker auth (PR:N), but requires victim click (UI:R); reflected XSS escapes theme scope into admin context (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Jun 17, 2026 - 13:01 EUVD

Analysis Generated

Jun 17, 2026 - 12:12 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running Kapee theme

Delivery

Craft malicious URL with XSS payload

Exploit

Phish link to authenticated administrator

Execution

Victim clicks link, script executes in browser

Persist

Hijack admin session via stolen cookies

Impact

Create persistent backdoor account

Access

Identify WordPress site running Kapee theme

Delivery

Craft malicious URL with XSS payload

Exploit

Phish link to authenticated administrator

Execution

Victim clicks link, script executes in browser

Persist

Hijack admin session via stolen cookies

Impact

Create persistent backdoor account

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) a target site running the Kapee WordPress theme at a version below 1.7.1, (2) a victim - typically a logged-in WordPress user, ideally an administrator - to interact with attacker-supplied content such as clicking a crafted URL or visiting a page containing injected content (UI:R in the CVSS vector), and (3) network reachability to the vulnerable WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L scores 7.1, elevated primarily by the scope change (S:C) - indicating injected script can affect resources beyond the vulnerable component (e.g., the WordPress admin session or other site origins). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a URL targeting a vulnerable Kapee theme endpoint (for example, a search or product parameter) containing a JavaScript payload, then phishes the link to a site administrator via email or social media. When the administrator clicks the link while authenticated, the script executes in the admin's browser context and, due to the scope change, can hijack the WordPress session, create rogue admin accounts, or plant persistent backdoors.
Remediation	Upgrade the Kapee theme to version 1.7.1 or later, which is the fixed release per Patchstack's advisory at https://patchstack.com/database/wordpress/theme/kapee/vulnerability/wordpress-kapee-theme-1-7-1-cross-site-scripting-xss-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your WordPress installation to identify if Kapee theme is deployed and confirm current version; create full backup. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-39446 HIGH This Week

8.1 Jun 16

Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inj

CVE-2026-41557 vulnerability details – vuln.today

Back