CVE-2026-41557: WordPress Kapee theme < 1.7.1 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 1.7.1
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability exists in the Kapee WordPress theme by PressLayouts, affecting all versions before 1.7.1. The flaw is reachable over the network and requires no authentication, but a victim must interact with a crafted link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, content manipulation, and minor disruption of the affected page. A patched-image rebuild at version 1.7.1 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-41557 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including Patchstack. This capability covers both images pulled from public registries and custom-built images that bundle the Kapee theme.
AvailableHarborGuard is capable of scoring this CVE at 7.1 HIGH (CVSS v3.1) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing routes findings to the appropriate team inbox within each customer organization based on policy-defined thresholds.
AvailableA patched-image rebuild at Kapee version 1.7.1 becomes available on HarborGuard once an image containing an affected version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the target WordPress site over the network; the vulnerable theme component is exposed via standard HTTP/HTTPS.
- AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party who can deliver a crafted request or link to a victim.
- Victim interactionRequired
A victim must interact with a malicious link or crafted page, making social engineering (phishing, malicious redirect) a necessary step in the attack chain.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental preconditions.
Blast Radius
- Reads session cookies or authentication tokens from the victim's browser if the HttpOnly flag is absent, enabling session hijacking.
- Injects and executes arbitrary JavaScript in the context of the victim's browser session on the affected WordPress site.
- Modifies visible page content for the victim, enabling phishing overlays or credential-harvesting forms.
- Causes minor disruption to the victim's browsing session on the affected site (availability impact limited to the client-side context).
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-41557 is active across ingest cycles, matching any image that bundles Kapee versions below 1.7.1 against the published advisory. A patched-image rebuild targeting Kapee 1.7.1 is available for any environment where an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding is routed to the designated team inbox with CVSS scoring and policy weighting attached so engineers can prioritize and act manually.
Fix available
- PressLayouts / Kapee< 1.7.1 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L