CVE-2026-9709
Deferred Deferred - Pending Action

Unauthenticated User Metadata Disclosure in Cornerstone WordPress Plugin

Vulnerability report for CVE-2026-9709, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themeco cornerstone to 7.8.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in the Themeco Cornerstone plugin allows any authenticated user to disclose sensitive user metadata, including roles, session tokens, and billing or shipping information. Such unauthorized disclosure of personal and sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal data and mandate protection against unauthorized disclosure.

Specifically, GDPR requires organizations to ensure the confidentiality and integrity of personal data, and unauthorized access to user metadata could be considered a breach of these principles. Similarly, HIPAA mandates the protection of personal health information, and while this vulnerability may not directly expose health data, the exposure of session tokens and billing information could still pose compliance risks.

Executive Summary

The vulnerability exists in the Themeco Cornerstone WordPress plugin versions prior to 7.8.9, which is the premium version bundled with the X Theme. It occurs because one of the plugin's REST API routes does not enforce proper capability checks.

This flaw allows any authenticated user, even those with minimal roles like Subscriber, to access and disclose metadata of any other user. The exposed metadata can include sensitive information such as user roles, session token previews, and stored billing or shipping details.

Impact Analysis

This vulnerability can lead to sensitive data disclosure, allowing attackers with low-level access to retrieve private user information. This can compromise user privacy and security by exposing roles, session tokens, and billing or shipping information.

Such exposure could facilitate further attacks, including session hijacking or unauthorized actions performed under another user's identity.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable REST API route as an authenticated user with a low-level role such as Subscriber. The detection involves authenticating, obtaining a REST nonce, and sending a crafted request with a gzip+base64-encoded payload targeting a specific user to retrieve metadata.

A practical approach would be to use tools like curl or Postman to send requests to the REST API endpoint of the Themeco Cornerstone plugin prior to version 7.8.9, using an authenticated session of a Subscriber user.

  • Authenticate as a Subscriber user to the WordPress site.
  • Obtain a valid REST nonce for the session.
  • Craft a gzip+base64-encoded payload targeting a specific user ID.
  • Send a POST request to the vulnerable REST API endpoint with the payload.

Example curl command structure (replace placeholders accordingly):

  • curl -X POST https://example.com/wp-json/cornerstone/v1/users/metadata -H "X-WP-Nonce: <nonce>" -H "Content-Type: application/json" -d '{"payload":"<gzip+base64-encoded-payload>"}' -b "wordpress_logged_in=<cookie>"
Mitigation Strategies

The immediate and most effective mitigation step is to update the Themeco Cornerstone plugin to version 7.8.9 or later, where the vulnerability has been fixed.

If updating immediately is not possible, consider restricting access to the vulnerable REST API route by limiting authenticated user roles or applying firewall rules to block suspicious requests targeting the endpoint.

Additionally, monitor user activity for unusual access patterns and consider resetting session tokens or credentials if a compromise is suspected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart