Impact
The vulnerability allows a subscriber to execute arbitrary code on the WordPress site running Cornerstone version earlier than 7.8.8. It originates from insufficient validation of data received during the subscription process, enabling an attacker to inject and run malicious scripts. Successful exploitation could grant full code execution privileges, leading to total site compromise, data theft, or further lateral movement within the hosting environment.
Affected Systems
The affected product is the WordPress Cornerstone plugin, distributed by THEMECO. Any WordPress installation that uses Cornerstone prior to version 7.8.8 is vulnerable. The plugin is widely deployed on sites that utilize the Cornerstone page builder and associated themes.
Risk and Exploitability
The CVSS score of 8.5 reflects high severity, yet the EPSS score of less than 1% indicates that exploitation is currently uncommon or not reported. The vulnerability is not listed in CISA’s KEV catalog. The description implies a remote attack vector via the public subscription interface, meaning an attacker can exploit this flaw without local or privileged access. However, the precise exploitation details are not fully disclosed, so this assessment is based on available information and logical inference.
OpenCVE Enrichment