CVE-2026-9709
Received Received - Intake
Unauthenticated User Metadata Disclosure in Cornerstone WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9709
EUVD
EUVD-2026-38696
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themeco cornerstone to 7.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Themeco Cornerstone WordPress plugin versions prior to 7.8.9, which is the premium version bundled with the X Theme. It occurs because one of the plugin's REST API routes does not enforce proper capability checks.

This flaw allows any authenticated user, even those with minimal roles like Subscriber, to access and disclose metadata of any other user. The exposed metadata can include sensitive information such as user roles, session token previews, and stored billing or shipping details.

Impact Analysis

This vulnerability can lead to sensitive data disclosure, allowing attackers with low-level access to retrieve private user information. This can compromise user privacy and security by exposing roles, session tokens, and billing or shipping information.

Such exposure could facilitate further attacks, including session hijacking or unauthorized actions performed under another user's identity.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable REST API route as an authenticated user with a low-level role such as Subscriber. The detection involves authenticating, obtaining a REST nonce, and sending a crafted request with a gzip+base64-encoded payload targeting a specific user to retrieve metadata.

A practical approach would be to use tools like curl or Postman to send requests to the REST API endpoint of the Themeco Cornerstone plugin prior to version 7.8.9, using an authenticated session of a Subscriber user.

  • Authenticate as a Subscriber user to the WordPress site.
  • Obtain a valid REST nonce for the session.
  • Craft a gzip+base64-encoded payload targeting a specific user ID.
  • Send a POST request to the vulnerable REST API endpoint with the payload.

Example curl command structure (replace placeholders accordingly):

  • curl -X POST https://example.com/wp-json/cornerstone/v1/users/metadata -H "X-WP-Nonce: <nonce>" -H "Content-Type: application/json" -d '{"payload":"<gzip+base64-encoded-payload>"}' -b "wordpress_logged_in=<cookie>"
Mitigation Strategies

The immediate and most effective mitigation step is to update the Themeco Cornerstone plugin to version 7.8.9 or later, where the vulnerability has been fixed.

If updating immediately is not possible, consider restricting access to the vulnerable REST API route by limiting authenticated user roles or applying firewall rules to block suspicious requests targeting the endpoint.

Additionally, monitor user activity for unusual access patterns and consider resetting session tokens or credentials if a compromise is suspected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart