CVE Catalog

CVE-2026-9709

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields.

Risk Assessment

The organization may be exposed to the disclosure of sensitive user information, potentially leading to privacy breaches and data security issues.

Recommendation

It is recommended to update the Cornerstone plugin to version 7.8.9 or later to mitigate this vulnerability.

Original NVD description (English source)

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS