Description
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.
Published: 2026-06-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cornerstone page builder, sold as part of Themeco’s X Theme, had a missing capability check on a REST API route before version 7.8.9. Authenticated users could call this endpoint to retrieve the metadata of any other user, including their roles, session token previews, and stored billing or shipping information.

Affected Systems

The affected product is the premium Cornerstone bundle that ships with the X Theme; any WordPress installation running a Cornerstone version earlier than 7.8.9 is vulnerable. The open‑source Cornerstone plugin (v0.8.x) from the WordPress.org repository is explicitly stated as not being affected.

Risk and Exploitability

Because the flaw is exercised through an authenticated REST API request, a standard site user can exploit it; the EPSS score of <1% shows a low overall likelihood of exploitation, yet the CVSS score of 7.7 reflects the high severity of exposing sensitive user data. The absence of a KEV listing means no known exploit activity is tracked, but the potential for privacy and financial data leakage remains significant.

Generated by OpenCVE AI on June 24, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cornerstone to version 7.8.9 or later bundled with the X Theme.
  • If an upgrade is not feasible, disable the vulnerable REST endpoint or restrict it so that only administrators can access it.
  • Enable multi‑factor authentication for all user accounts to limit credential misuse.

Generated by OpenCVE AI on June 24, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cornerstone Project
Cornerstone Project cornerstone
Wordpress
Wordpress wordpress
Vendors & Products Cornerstone Project
Cornerstone Project cornerstone
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.
Title Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure
References

Subscriptions

Cornerstone Project Cornerstone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-24T12:11:35.195Z

Reserved: 2026-05-27T14:02:13.983Z

Link: CVE-2026-9709

cve-icon Vulnrichment

Updated: 2026-06-24T12:10:28.020Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:30:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control