WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability
No known patch is available for this vulnerability.
The affected plugin has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Subscriber-level arbitrary code execution in WordPress Cornerstone plugin (versions < 7.8.8) allows authenticated attackers to execute malicious code; plugin appears abandoned with no official fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subscriber-level arbitrary code execution in WordPress Cornerstone plugin (versions < 7.8.8) allows authenticated attackers to execute malicious code; plugin appears abandoned with no official fix.
Vulnerability
The vulnerability is an arbitrary code execution flaw in the WordPress Cornerstone plugin. According to Patchstack [1], versions prior to 7.8.8 are affected. However, the WordPress.org plugin repository lists the latest version as 0.8.1 and indicates the plugin is abandoned [2], meaning no patched version has been released. The vulnerability allows a subscriber-level user to execute arbitrary code.
Exploitation
An attacker needs a subscriber-level account on the WordPress site. The exact exploitation steps are not detailed in the references, but the vulnerability is classified as arbitrary code execution, suggesting the attacker can inject and execute PHP code via the plugin's functionality. The Patchstack advisory notes that this vulnerability is expected to be used in mass-exploit campaigns [1].
Impact
Successful exploitation allows an authenticated attacker with subscriber privileges to execute arbitrary code on the server, leading to full site compromise, data theft, or further attacks. The CVSS score is 8.5 (High) [1].
Mitigation
Patchstack recommends updating to version 7.8.8 or later [1]. However, the plugin appears abandoned on WordPress.org with no update since 2024 [2], so no official fix is available. Users should uninstall the plugin or replace it with an actively maintained alternative. Patchstack offers a mitigation rule to block attacks until an update is applied [1].
AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0cornerstoneThis plugin appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.
Source: api.wordpress.org · directory page
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
2- WordPress: 25 CVEs Disclosed in One Day — RCE, File Upload, and a Wave of PHP Object Injection Flaws in ThemesVypr Intelligence · Jun 16, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026