CVE-2026-39446 PressLayouts CVE debrief

Who should care

Administrators and security teams responsible for managing WordPress themes, particularly those using the Kapee theme, should be aware of this vulnerability. Given its high severity and potential for exploitation, immediate attention is necessary to prevent potential attacks.

Technical summary

CVE-2026-39446 is an unauthenticated PHP object injection vulnerability in the Kapee theme, affecting versions prior to 1.7.0. The vulnerability is characterized by a CVSS score of 8.1, with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high level of severity. This vulnerability is classified under CWE-502, 'Deserialization of Untrusted Data.' The vulnerability allows attackers to inject malicious PHP objects without authentication, which could lead to unauthorized code execution.

Defensive priority

High

Recommended defensive actions

• Update Kapee theme to version 1.7.0 or later
• Review and restrict PHP object injection vulnerabilities in other themes and plugins
• Implement web application firewalls (WAFs) to detect and block suspicious traffic
• Regularly monitor and update WordPress installations and themes
• Conduct thorough vulnerability assessments and penetration testing
• Enhance authentication and authorization mechanisms for WordPress installations

Evidence notes

The details provided are based on information from the National Vulnerability Database (NVD) and Patchstack. The CVE record was published on June 17, 2026, and the vulnerability was reported by [email protected]. The information provided is limited to available data and may not be exhaustive.

Official resources