Impact
The Cornerstone page builder, sold as part of Themeco’s X Theme, had a missing capability check on a REST API route before version 7.8.9. Authenticated users could call this endpoint to retrieve the metadata of any other user, including their roles, session token previews, and stored billing or shipping information.
Affected Systems
The affected product is the premium Cornerstone bundle that ships with the X Theme; any WordPress installation running a Cornerstone version earlier than 7.8.9 is vulnerable. The open‑source Cornerstone plugin (v0.8.x) from the WordPress.org repository is explicitly stated as not being affected.
Risk and Exploitability
Because the flaw is exercised through an authenticated REST API request, a standard site user can exploit it; the EPSS score of <1% shows a low overall likelihood of exploitation, yet the CVSS score of 7.7 reflects the high severity of exposing sensitive user data. The absence of a KEV listing means no known exploit activity is tracked, but the potential for privacy and financial data leakage remains significant.
OpenCVE Enrichment