Authentication Bypass in Cornerstone WordPress Page Builder Plugin by Cornerstone
CVE-2026-9709

Currently unrated

Key Information:

Vendor: WordPress
Status: Cornerstone
Vendor: CVE Published:; 24 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9709?

The Cornerstone WordPress plugin prior to version 7.8.9 has a flaw in its REST API routes, failing to enforce capability checks. This oversight allows any authenticated user to access metadata belonging to other users, potentially exposing sensitive information such as user roles, session token previews, and billing or shipping details. This vulnerability primarily impacts the premium Cornerstone page builder integrated with the X theme, not the standalone Cornerstone plugin found in the .org repository.

Affected Version(s)

Cornerstone 3.0.0 < 7.8.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9709 - Proof of Concept

References

https://wpscan.com/vulnerability/3ade0e4e-2070-4d3b-8f31-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 24, 2026
👾
Exploit known to exist
Jun 24, 2026
Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 27, 2026

Credit

Real_King_Engine (ISAL FRAMEWORK)

WPScan

CVE-2026-9709 Data

JSON