Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Password Hash Disclosure

An authenticated attacker (as low as Subscriber) can call the unprotected CSS-preview request handler because the required nonce is leaked on every wp-admin page. By crafting a request that evaluates dynamic content tokens against an arbitrary user ID, the attacker extracts sensitive metadata including the raw password hash of that user. The vulnerability is classified as sensitive data disclosure [ref_id=1].

The Cornerstone WordPress plugin (premium, bundled with X Theme) before version 7.8.8 fails to enforce capability checks on one of its CSS-preview request handlers. The nonce needed to call that handler is exposed to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users.

The advisory states the fix is included in version 7.8.8 [ref_id=1]. The patch does not show the exact code change, but the remediation presumably adds a proper capability check (e.g., `current_user_can()`) to the CSS-preview handler and restricts nonce exposure so that only users with sufficient privileges can invoke it. This prevents low-privileged users from evaluating dynamic content tokens against arbitrary users.