Skip to main content

Cornerstone Plugin CVE-2026-49113

| EUVDEUVD-2026-37497 HIGH
Code Injection (CWE-94)
2026-06-16 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Network-reachable WordPress endpoint (AV:N), requires Subscriber auth (PR:L), non-trivial exploitation conditions implied by advisory (AC:H), arbitrary code execution breaks out of plugin scope to host OS (S:C) with full CIA impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:25 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.

AnalysisAI

Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Authenticate to WordPress
Exploit
Send crafted request to vulnerable Cornerstone endpoint
Execution
Inject attacker-controlled code
Persist
Achieve PHP execution as web server
Impact
Install webshell and exfiltrate wp-config secrets

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account with at least the Subscriber role on a site running Cornerstone < 7.8.8 - the description explicitly scopes this as 'Subscriber Arbitrary Code Execution'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: CVSS 8.5 (High) reflects scope change and full CIA impact, but AC:H and PR:L indicate the attacker must already hold a Subscriber account and overcome non-trivial exploitation conditions, which lowers practical risk relative to the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal Subscriber account on a target WordPress site (or compromises an existing low-privilege account), then sends a crafted request to a vulnerable Cornerstone endpoint that improperly handles user-controlled input flowing into code generation. Successful exploitation yields arbitrary PHP execution under the web server account, enabling webshell installation, credential theft from wp-config.php, and full site takeover. …
Remediation Upgrade the Cornerstone plugin to version 7.8.8 or later, which is the vendor-released patch per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cornerstone/vulnerability/wordpress-cornerstone-plugin-7-8-8-arbitrary-code-execution-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all WordPress installations using Themeco Cornerstone plugin versions prior to 7.8.8. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy