How is CVE-2026-39446 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; no prior foothold on the host is needed. Authentication (not-required): No account or credential of any privilege level is required to trigger the deserialization endpoint. Victim interaction (not-required): The attack is entirely server-side; no user action or social engineering is required. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must identify a viable POP chain from available PHP classes and may need to account for environmental conditions such as installed plugins or specific server configurations.

What is the impact of CVE-2026-39446?

A successful attacker reads arbitrary files from the server, including WordPress configuration files containing database credentials and secret keys. The attacker writes or modifies files on the server, enabling webshell placement or theme/plugin file tampering. The attacker can crash or destabilize the WordPress process, disrupting service availability for site visitors. With a suitable POP chain, the attacker achieves remote code execution on the underlying host, moving beyond the WordPress application boundary.

Back to search

HIGHCVE-2026-39446Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39446: WordPress Kapee theme < 1.7.0 - PHP Object Injection vulnerability

Q: What is CVE-2026-39446?

PHP Object Injection is a vulnerability in which an attacker supplies crafted, serialized PHP data to an application that deserializes it without validation, triggering unintended code execution paths. The Kapee WordPress theme before version 1.7.0 is affected, and the vulnerability is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, depending on what PHP classes are available in the application (so-called POP chain execution). A patched-image rebuild at version 1.7.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-39446 fixed?

A patched-image rebuild at Kapee version 1.7.0 becomes available in HarborGuard once the upstream fix is confirmed, eliminating the vulnerable theme version from the image layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.7.0
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in which an attacker supplies crafted, serialized PHP data to an application that deserializes it without validation, triggering unintended code execution paths. The Kapee WordPress theme before version 1.7.0 is affected, and the vulnerability is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, depending on what PHP classes are available in the application (so-called POP chain execution). A patched-image rebuild at version 1.7.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39446 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the Kapee theme. HarborGuard's pipeline scanner inspects image layers for the affected theme version and flags any match against the vulnerable range (below 1.7.0).

Available

Triage

Triage is available with CVSS 8.1 HIGH scoring applied automatically, weighted against each customer organization's compliance policy to determine urgency and escalation threshold. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Kapee version 1.7.0 becomes available in HarborGuard once the upstream fix is confirmed, eliminating the vulnerable theme version from the image layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or credential of any privilege level is required to trigger the deserialization endpoint.
Victim interactionNot required
The attack is entirely server-side; no user action or social engineering is required.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must identify a viable POP chain from available PHP classes and may need to account for environmental conditions such as installed plugins or specific server configurations.

Blast Radius

A successful attacker reads arbitrary files from the server, including WordPress configuration files containing database credentials and secret keys.
The attacker writes or modifies files on the server, enabling webshell placement or theme/plugin file tampering.
The attacker can crash or destabilize the WordPress process, disrupting service availability for site visitors.
With a suitable POP chain, the attacker achieves remote code execution on the underlying host, moving beyond the WordPress application boundary.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-39446 runs against all customer images on every ingest cycle, matching the vulnerable Kapee version range with no manual configuration needed. For environments where the affected theme is present, a rebuild at version 1.7.0 is available. Where compliance policy permits auto-remediation, HarborGuard triggers the rebuild, runs regression tests against the updated image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where an immediate rebuild is not possible, consider applying a web application firewall rule to block serialized PHP payloads at the request layer and restricting network access to the WordPress admin surface as a compensating control while the patch is scheduled.

See how HarborGuard automates this

Fix available

1.7.0

Affected packages

PressLayouts / Kapee
< 1.7.0 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available