Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-9710— Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Password Hash Disclosure

EPSS 0.22% · P12
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9710

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Password Hash Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
UnknownCornerstone 3.0.0 ~ 7.8.8 -

II. Public POCs for CVE-2026-9710

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-9710

登录查看更多情报信息。

Vendor Advisories for CVE-2026-9710 (1)

Same Patch Batch · Unknown · 2026-06-24 · 6 CVEs total

CVE-2026-9709Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User M
CVE-2026-10531AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute
CVE-2026-10753Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update
CVE-2026-10749Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData
CVE-2026-10735ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

IV. Related Vulnerabilities

V. Comments for CVE-2026-9710

No comments yet


Leave a comment