Description
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.
Published: 2026-06-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by the Cornerstone premium plugin failing to enforce capability checks on a CSS preview request handler. The plugin inadvertently exposes the nonce required to call this handler to any logged-in user on any WordPress admin page, allowing them to trigger the preview for arbitrary users. By evaluating dynamic content tokens this way, an attacker can retrieve sensitive metadata, including raw password hashes. This access control oversight results in unauthorized disclosure of user data.

Affected Systems

Themeco Cornerstone Premium, bundled with the X Theme, is vulnerable in all releases prior to version 7.8.8. The free Cornerstone WordPress plugin on the .org repository is not affected.

Risk and Exploitability

The vulnerability can be exploited by any authenticated user who can access WordPress admin pages, as the plugin exposes the necessary nonce to all logged-in users on any wp-admin page. The CVSS score is 7.7, the EPSS score is < 1%, and the vulnerability is not listed in CISA KEV. Because capability checks are missing, the flaw is readily exploitable and poses a risk of credential theft across the site.

Generated by OpenCVE AI on June 24, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Themeco Cornerstone plugin to version 7.8.8 or later, which contains the required capability checks for the preview handler.
  • If an immediate upgrade is not possible, disable the Cornerstone preview feature or restrict its use to administrator roles only by editing user capabilities or applying a role-based access control plugin.
  • Consider auditing all user accounts and rotating passwords, especially for accounts that accessed the site during the period the vulnerability was active, to mitigate any potential password hash compromise.

Generated by OpenCVE AI on June 24, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cornerstone Project
Cornerstone Project cornerstone
Wordpress
Wordpress wordpress
Weaknesses CWE-200
CWE-284
Vendors & Products Cornerstone Project
Cornerstone Project cornerstone
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.
Title Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Password Hash Disclosure
References

Subscriptions

Cornerstone Project Cornerstone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-24T12:08:06.258Z

Reserved: 2026-05-27T14:02:20.118Z

Link: CVE-2026-9710

cve-icon Vulnrichment

Updated: 2026-06-24T12:07:47.210Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:00:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control