CVE-2026-9709

The CVE concerns the premium Cornerstone WordPress page builder (bundled with X Theme) prior to version 7.8.9. A REST API route fails to enforce capability checks, allowing any authenticated user to disclose other users’ metadata, including roles, session token previews, and stored billing/shippi...