Description
Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
Published: 2026-06-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a subscriber to execute arbitrary code on the WordPress site running Cornerstone version earlier than 7.8.8. It originates from insufficient validation of data received during the subscription process, enabling an attacker to inject and run malicious scripts. Successful exploitation could grant full code execution privileges, leading to total site compromise, data theft, or further lateral movement within the hosting environment.

Affected Systems

The affected product is the WordPress Cornerstone plugin, distributed by THEMECO. Any WordPress installation that uses Cornerstone prior to version 7.8.8 is vulnerable. The plugin is widely deployed on sites that utilize the Cornerstone page builder and associated themes.

Risk and Exploitability

The CVSS score of 8.5 reflects high severity, yet the EPSS score of less than 1% indicates that exploitation is currently uncommon or not reported. The vulnerability is not listed in CISA’s KEV catalog. The description implies a remote attack vector via the public subscription interface, meaning an attacker can exploit this flaw without local or privileged access. However, the precise exploitation details are not fully disclosed, so this assessment is based on available information and logical inference.

Generated by OpenCVE AI on June 17, 2026 at 19:32 UTC.

Remediation

Vendor Solution

Update the WordPress Cornerstone Plugin to the latest available version (at least 7.8.8).


OpenCVE Recommended Actions

  • Update the WordPress Cornerstone Plugin to version 7.8.8 or later
  • If the plugin is not essential to site functionality, consider disabling or uninstalling it
  • Regularly review site logs for unusual activity and ensure other WordPress components are up to date

Generated by OpenCVE AI on June 17, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeco
Themeco cornerstone
Wordpress
Wordpress wordpress
Vendors & Products Themeco
Themeco cornerstone
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
Title WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Themeco Cornerstone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:36:22.323Z

Reserved: 2026-05-27T15:12:19.106Z

Link: CVE-2026-49113

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:17.729Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:19Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')