Description
Subscriber SQL Injection in Cornerstone < 7.8.8 versions.
Published: 2026-06-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cornerstone plugin for WordPress, maintained by ThemeCo, contains an unauthenticated subscriber‑related SQL injection flaw in all releases older than 7.8.8. The vulnerability allows an attacker to inject arbitrary SQL through unfiltered input, enabling read, modification, or deletion of database records and potentially escalating privileges. The flaw is classified as CWE‑89.

Affected Systems

WordPress users who have installed the Cornerstone plugin from ThemeCo in any version prior to 7.8.8 are affected. The vulnerability resides in the subscriber component of the plugin and affects all installations that have not upgraded to 7.8.8 or later.

Risk and Exploitability

The CVSS score of 8.5 signals a high severity of compromise, although the EPSS score is not available, so the exact exploitation probability is uncertain. The plugin is exposed through the web interface, suggesting a likely remote attack vector via crafted HTTP requests. The vulnerability is not listed in the CISA KEV catalog, but patching remains critical to prevent possible data loss or unauthorized access.

Generated by OpenCVE AI on June 18, 2026 at 12:06 UTC.

Remediation

Vendor Solution

Update the WordPress Cornerstone Plugin to the latest available version (at least 7.8.8).


OpenCVE Recommended Actions

  • Update the Cornerstone plugin to version 7.8.8 or later.
  • If an immediate update cannot be performed, temporarily disable the Cornerstone plugin or restrict access to the subscriber feature until the patch is applied.
  • Ensure all other WordPress core components and plugins are updated to the latest versions to reduce overall exposure.

Generated by OpenCVE AI on June 18, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeco
Themeco cornerstone
Wordpress
Wordpress wordpress
Vendors & Products Themeco
Themeco cornerstone
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Cornerstone < 7.8.8 versions.
Title WordPress Cornerstone plugin < 7.8.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Themeco Cornerstone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:29:59.133Z

Reserved: 2026-06-12T09:15:46.416Z

Link: CVE-2026-54185

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:44Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')