CVE-2026-9710
Received Received - Intake
Cornerstone WordPress Plugin Authenticated Sensitive Data Exposure

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9710
EUVD
EUVD-2026-38697
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themeco cornerstone to 7.8.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Themeco Cornerstone WordPress plugin versions prior to 7.8.8, which is bundled with the premium X Theme. It occurs because the plugin does not enforce proper capability checks on one of its CSS-preview request handlers and exposes the nonce required to call this handler to every logged-in user on any wp-admin page.

This flaw allows any authenticated user, even those with Subscriber-level access, to extract the nonce from a wp-admin page and send a crafted request to the CSS preview endpoint. By doing so, the attacker can evaluate dynamic content tokens against arbitrary users and disclose sensitive user metadata, including raw password hashes stored in the WordPress database.

Impact Analysis

This vulnerability can have a significant impact as it allows any authenticated user with minimal privileges (Subscriber-level or higher) to access sensitive user data that should be protected.

Specifically, an attacker can retrieve sensitive metadata including raw password hashes of arbitrary users, which could lead to further compromise of user accounts if these hashes are cracked or reused elsewhere.

Such unauthorized disclosure of sensitive data can lead to account takeover, loss of user trust, and potential damage to the website's integrity and security.

Detection Guidance

This vulnerability can be detected by checking if the Themeco Cornerstone plugin version is prior to 7.8.8, as these versions contain the flaw.

An attacker can authenticate as a Subscriber-level user, extract the nonce from any wp-admin page, and send a crafted request to the CSS preview endpoint to retrieve sensitive user metadata including raw password hashes.

To detect exploitation attempts, monitor for unusual POST requests to the CSS-preview request handler endpoint from authenticated users with low privileges.

Specific commands are not provided in the resources, but detection could involve inspecting HTTP requests to the CSS preview endpoint and verifying the plugin version installed.

Mitigation Strategies

The immediate mitigation step is to update the Themeco Cornerstone plugin to version 7.8.8 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to wp-admin pages to trusted users only and monitor for suspicious activity involving the CSS preview request handler.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart