CVE-2026-9709: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2026-9709 is an authorization bypass vulnerability in the Themeco Cornerstone WordPress plugin (premium, bundled with the X Theme) that allows any authenticated user (Subscriber-level or above) to disclose arbitrary user metadata. Affected versions span 3.0.0 through before 7.8.9. The vulnerability was publicly disclosed on June 3, 2026, and added to the GitHub Advisory Database on June 24, 2026. WPScan classifies it with a CVSS score of 7.7 (High) and CWE-200 (Information Exposure) (WPScan, Github Advisory).

The root cause is a missing capability check (CWE-200 / OWASP A3: Sensitive Data Exposure) on the REST API route /wp-json/themeco/data/dynamic-choices. Any authenticated WordPress user can craft a gzip+base64-encoded JSON payload specifying a target user_id and send it to this endpoint using a standard WP REST nonce, bypassing all authorization controls. The endpoint returns the target user's metadata (truncated to ~55 characters per value), including serialized role data, session token hash prefixes, and WooCommerce billing/shipping fields. A working proof-of-concept was published by the original researcher (Real_King_Engine / ISAL FRAMEWORK) alongside the WPScan advisory (WPScan).

Successful exploitation allows any logged-in user — including low-privilege Subscribers — to enumerate sensitive metadata for any other WordPress user on the site, including administrators. Exposed data includes full role serialization (e.g., a:1:{s:13:"administrator";b:1;}), session token hash previews (which could aid session hijacking attempts), and stored WooCommerce billing/shipping address fields. On e-commerce sites running WooCommerce, this represents a significant PII exposure risk for all registered customers (WPScan, Github Advisory).

1. Reconnaissance: Identify WordPress sites running the premium Themeco Cornerstone plugin (bundled with the X Theme) at versions below 7.8.9. This can be done via HTTP response headers, page source inspection, or tools like WPScan.
2. Obtain a low-privilege account: Register or obtain credentials for any WordPress account with at least Subscriber-level access on the target site.
3. Authenticate and retrieve REST nonce: Log in via wp-login.php using curl with a cookie jar, then fetch the WP REST nonce from wp-admin/admin-ajax.php?action=rest-nonce.
4. Build the encoded payload: Construct a JSON object {"type":"usermeta","context":{"user":"<target_user_id>"}}, compress it with gzip, and base64-encode the result (e.g., targeting user_id=1 for the administrator).
5. Send the malicious request: Issue a GET request to /wp-json/themeco/data/dynamic-choices with the X-WP-Nonce header and query parameters gzip=1 and request=<encoded_payload>.
6. Decode the response: The data field in the JSON response is itself gzip+base64-encoded. Decode it to reveal the target user's metadata, including roles, session token previews, and WooCommerce billing/shipping fields (WPScan).

• Network: Unusual GET requests to /wp-json/themeco/data/dynamic-choices from low-privilege user sessions, especially with gzip=1 and encoded request parameters; repeated requests targeting multiple different user_id values in rapid succession.
• Logs: WordPress access logs showing authenticated requests to the themeco/data/dynamic-choices REST endpoint from Subscriber-level accounts; requests originating from unexpected IP addresses or user agents.
• Logs: REST API nonce retrieval (admin-ajax.php?action=rest-nonce) immediately followed by requests to the vulnerable endpoint from the same session cookie.
• Application: Unexpected enumeration of user IDs (sequential integers in the context.user field of decoded payloads) suggesting automated scraping of user metadata (WPScan).

Update the Themeco Cornerstone plugin (bundled with the X Theme) to version 7.8.9 or later, which enforces proper capability checks on the affected REST API route. If immediate patching is not possible, consider restricting REST API access to trusted roles only via a WordPress security plugin or server-level rules, and review access logs for unauthorized metadata disclosure attempts. Note that this vulnerability affects only the premium Cornerstone plugin bundled with the X Theme — not the unrelated free cornerstone plugin (v0.8.x) available on the WordPress.org repository (WPScan, Github Advisory).

The vulnerability was discovered and responsibly disclosed by researcher Real_King_Engine (ISAL FRAMEWORK), who also submitted the detailed proof-of-concept to WPScan. No notable vendor statements beyond the patch release or significant broader media coverage have been identified at this time (WPScan).