VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 24, 2026

Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure

CVE-2026-9709

Description

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free cornerstone Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing capability check on a REST API route allows any authenticated user to read arbitrary user metadata."

Attack vector

An attacker who is authenticated as any WordPress user (e.g., a subscriber) can send a crafted REST API request to the vulnerable route. The route does not verify that the requester has permission to view the target user's metadata. By supplying a different user ID, the attacker can retrieve sensitive data such as user roles, session token previews, and stored billing/shipping fields [ref_id=1]. No special privileges or network position beyond standard WordPress authentication are required.

Affected code

The premium Themeco Cornerstone page builder (bundled with the X Theme) before version 7.8.9 fails to enforce capability checks on one of its REST API routes. This allows any authenticated user to query the metadata of any other user via that unprotected endpoint.

What the fix does

The advisory states the fix is included in version 7.8.9 of the premium Cornerstone plugin [ref_id=1]. The patch adds a capability check to the vulnerable REST API route, ensuring that only users with the appropriate permissions can access another user's metadata. Without this check, any authenticated user could enumerate arbitrary user meta.

Preconditions

  • authAttacker must be authenticated as any WordPress user (e.g., subscriber).
  • configThe vulnerable REST API route must be exposed (default behavior of the plugin).
  • inputAttacker must know or enumerate the target user's ID.

Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.