CVE-2026-41557
Deferred Deferred - Pending Action

Unauthenticated XSS in Kapee

Vulnerability report for CVE-2026-41557, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-07
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kapee kapee to 1.7.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is an unauthenticated Cross Site Scripting (XSS) issue found in WordPress Kapee Theme versions below 1.7.1.

It allows attackers to inject malicious scripts that execute when visitors access the affected site.

Exploitation typically requires user interaction, such as clicking a malicious link or visiting a crafted page.

The vulnerability has a CVSS score of 7.1, indicating moderate danger.

Impact Analysis

Successful exploitation can lead to attackers injecting malicious scripts, including redirects or advertisements, which execute when visitors access the site.

This can compromise the integrity and trustworthiness of the website, potentially leading to data theft, session hijacking, or spreading malware.

Since the vulnerability requires user interaction, it can be used in mass campaigns targeting numerous websites.

Immediate action is advised to update to version 1.7.1 or later to resolve the issue.

Mitigation Strategies

Immediate action is advised to update the WordPress Kapee Theme to version 1.7.1 or later, as this version contains the patch that resolves the Cross Site Scripting (XSS) vulnerability.

Until the update is applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability.

Detection Guidance

This vulnerability affects WordPress Kapee Theme versions below 1.7.1 and involves Cross Site Scripting (XSS) that requires user interaction such as clicking a malicious link or visiting a crafted page.

To detect if your system is vulnerable, first verify the installed version of the Kapee theme on your WordPress site. You can do this by checking the theme version in the WordPress admin dashboard or by running commands to inspect the theme files.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually check the style.css file in the Kapee theme directory for the version number: grep 'Version' wp-content/themes/kapee/style.css

If the version is below 1.7.1, your site is vulnerable. Additionally, monitoring web traffic for suspicious query parameters or payloads that attempt to inject scripts could help detect exploitation attempts.

Patchstack has issued a mitigation rule to block attacks until the update is applied, so applying such rules in your web application firewall or intrusion detection system can help detect or prevent exploitation.

Compliance Impact

The provided information does not specify how the unauthenticated Cross Site Scripting (XSS) vulnerability in Kapee versions below 1.7.1 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart