Skip to main content

Kapee Theme EUVD-2026-37471

| CVE-2026-39446 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Kapee
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable PHP object injection (PR:N/AV:N) with full CIA impact; AC:H reflects need for a viable POP gadget chain to weaponize.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:41 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.

AnalysisAI

Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Kapee theme <1.7.0 on target
Delivery
Craft serialized PHP object with POP gadget chain
Exploit
Submit payload to vulnerable theme endpoint
Execution
Trigger unserialize() invoking magic methods
Persist
Execute code or write files on server
Impact
Exfiltrate data or deploy skimmer/webshell
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target site must run the PressLayouts Kapee WordPress theme at a version below 1.7.0 with a network-reachable endpoint that passes attacker-controlled input to PHP unserialize(); no authentication or user interaction is required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 is 8.1 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - network reachable, no authentication, no user interaction, but high attack complexity reflecting the need for a usable gadget chain and likely some site-specific conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a vulnerable Kapee-powered WordPress site containing a serialized PHP payload in a parameter that the theme passes to unserialize(). The payload leverages a POP gadget chain from WordPress core, WooCommerce, or another loaded plugin to achieve arbitrary file write or code execution, ultimately taking over the site, exfiltrating customer/order data, or planting a web skimmer. …
Remediation Upgrade the Kapee theme to version 1.7.0 or later, which the input data confirms as a vendor-released patch; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/kapee/vulnerability/wordpress-kapee-theme-1-7-0-php-object-injection-vulnerability for upgrade guidance. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress sites running Kapee theme versions prior to 1.7.0 and review access logs for exploitation indicators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy