CVE-2026-9709
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields.
Risk Assessment
The organization may be exposed to the disclosure of sensitive user information, potentially leading to privacy breaches and data security issues.
Recommendation
It is recommended to update the Cornerstone plugin to version 7.8.9 or later to mitigate this vulnerability.
Original NVD description (English source)
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.

