Impact
The Cornerstone plugin for WordPress, maintained by ThemeCo, contains an unauthenticated subscriber‑related SQL injection flaw in all releases older than 7.8.8. The vulnerability allows an attacker to inject arbitrary SQL through unfiltered input, enabling read, modification, or deletion of database records and potentially escalating privileges. The flaw is classified as CWE‑89.
Affected Systems
WordPress users who have installed the Cornerstone plugin from ThemeCo in any version prior to 7.8.8 are affected. The vulnerability resides in the subscriber component of the plugin and affects all installations that have not upgraded to 7.8.8 or later.
Risk and Exploitability
The CVSS score of 8.5 signals a high severity of compromise, although the EPSS score is not available, so the exact exploitation probability is uncertain. The plugin is exposed through the web interface, suggesting a likely remote attack vector via crafted HTTP requests. The vulnerability is not listed in the CISA KEV catalog, but patching remains critical to prevent possible data loss or unauthorized access.
OpenCVE Enrichment