Skip to main content

Cornerstone

4 CVEs product

Monthly

CVE-2026-9710 HIGH POC PATCH This Week

Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-9709 HIGH POC PATCH This Week

Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-54185 HIGH PATCH This Week

SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Cornerstone
NVD VulDB
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-49113 HIGH PATCH This Week

Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

RCE Code Injection Cornerstone
NVD
CVSS 3.1
8.5
EPSS
0.4%
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in the Cornerstone WordPress plugin (Themeco) versions prior to 7.8.8 allows authenticated users with Subscriber-level access to inject SQL into backend queries. Per the CVSS vector (PR:L, scope changed, C:H), a low-privileged WordPress account can read sensitive database contents - including credentials and PII - across security boundaries, with limited availability impact and no integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Cornerstone
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

RCE Code Injection Cornerstone
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy