Cornerstone
by WordPress
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32570 | Hig | 0.46 | 7.1 | 0.00 | Apr 18, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0. | ||
| CVE-2024-28002 | Hig | 0.46 | 7.1 | 0.00 | Mar 28, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0. | ||
| CVE-2025-63072 | Med | 0.42 | 6.5 | 0.00 | Dec 9, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3. | ||
| CVE-2026-9710 | 0.00 | — | 0.00 | Jun 24, 2026 | The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens… | |||
| CVE-2026-9709 | 0.00 | — | 0.00 | Jun 24, 2026 | The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects… | |||
| CVE-2026-54185 | 0.00 | — | 0.00 | Jun 17, 2026 | Subscriber SQL Injection in Cornerstone < 7.8.8 versions. | |||
| CVE-2026-49113 | 0.00 | — | 0.00 | Jun 16, 2026 | Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. |
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3.
- CVE-2026-9710Jun 24, 2026risk 0.00cvss —epss 0.00
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens…
- CVE-2026-9709Jun 24, 2026risk 0.00cvss —epss 0.00
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects…
- CVE-2026-54185Jun 17, 2026risk 0.00cvss —epss 0.00
Subscriber SQL Injection in Cornerstone < 7.8.8 versions.
- CVE-2026-49113Jun 16, 2026risk 0.00cvss —epss 0.00
Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.