Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), requires Subscriber auth (PR:L), non-trivial exploitation conditions implied by advisory (AC:H), arbitrary code execution breaks out of plugin scope to host OS (S:C) with full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
AnalysisAI
Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated WordPress account with at least the Subscriber role on a site running Cornerstone < 7.8.8 - the description explicitly scopes this as 'Subscriber Arbitrary Code Execution'. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: CVSS 8.5 (High) reflects scope change and full CIA impact, but AC:H and PR:L indicate the attacker must already hold a Subscriber account and overcome non-trivial exploitation conditions, which lowers practical risk relative to the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a normal Subscriber account on a target WordPress site (or compromises an existing low-privilege account), then sends a crafted request to a vulnerable Cornerstone endpoint that improperly handles user-controlled input flowing into code generation. Successful exploitation yields arbitrary PHP execution under the web server account, enabling webshell installation, credential theft from wp-config.php, and full site takeover. … |
| Remediation | Upgrade the Cornerstone plugin to version 7.8.8 or later, which is the vendor-released patch per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cornerstone/vulnerability/wordpress-cornerstone-plugin-7-8-8-arbitrary-code-execution-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all WordPress installations using Themeco Cornerstone plugin versions prior to 7.8.8. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cornerstone
View allSensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 throu
Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before
SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subs
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37497