Impact
The vulnerability is caused by the Cornerstone premium plugin failing to enforce capability checks on a CSS preview request handler. The plugin inadvertently exposes the nonce required to call this handler to any logged-in user on any WordPress admin page, allowing them to trigger the preview for arbitrary users. By evaluating dynamic content tokens this way, an attacker can retrieve sensitive metadata, including raw password hashes. This access control oversight results in unauthorized disclosure of user data.
Affected Systems
Themeco Cornerstone Premium, bundled with the X Theme, is vulnerable in all releases prior to version 7.8.8. The free Cornerstone WordPress plugin on the .org repository is not affected.
Risk and Exploitability
The vulnerability can be exploited by any authenticated user who can access WordPress admin pages, as the plugin exposes the necessary nonce to all logged-in users on any wp-admin page. The CVSS score is 7.7, the EPSS score is < 1%, and the vulnerability is not listed in CISA KEV. Because capability checks are missing, the flaw is readily exploitable and poses a risk of credential theft across the site.
OpenCVE Enrichment