Skip to content

CVE-2026-9710

is CVE-2026-9710real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
High · CVSS 7.7EPSS 0.1%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-9710
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-9710/badge.svg)](https://www.truepositive.app/cve/CVE-2026-9710)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-9710"><img src="https://www.truepositive.app/cve/CVE-2026-9710/badge.svg" alt="TruePositive verdict for CVE-2026-9710"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.