WordPress Plugin Vulnerabilities

Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure

Description

The plugin does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium Themeco Cornerstone page builder distributed bundled with the X Theme, not the unrelated free `cornerstone` plugin (v0.8.x) on the .org repository.

Proof of Concept

Affects Plugins

Fixed in 7.8.9

References

Classification

Type
SENSITIVE DATA DISCLOSURE
CWE
CVSS

Miscellaneous

Original Researcher
Real_King_Engine (ISAL FRAMEWORK)
Submitter
Real_King_Engine (ISAL FRAMEWORK)
Verified
Yes

Timeline

Publicly Published
2026-06-03 (about 1 month ago)
Added
2026-06-03 (about 1 month ago)
Last Updated
2026-07-10 (about 4 days ago)

Other