cleantalk
Vulnerabilities and Security Researches

Cornerstone, CVE-2026-9710

CVE, Research URL

CVE-2026-9710

Home page URL

Security reports for Cornerstone

Application

Cornerstone

Published on
Jun 24, 2026
Research Description
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.
Affected versions
max 7.8.8.
Status
vulnerable
Previous vulnerability researches
Advance Nav Menu Manager (CVE-2026-8688) , Jun 25, 2026
New vulnerability
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One (CVE-2026-56052) , Jun 26, 2026
Cornerstone (CVE-2026-9710) , Jun 26, 2026
Cornerstone (CVE-2026-9709) , Jun 26, 2026
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates (CVE-2026-10833) , Jun 26, 2026
Post Duplicator (CVE-2026-10749) , Jun 26, 2026