How does this vulnerability work?

The vulnerability allows attackers to send crafted requests to WordPress AJAX endpoints, where user-supplied input is processed unsafely. This can lead to the execution of malicious PHP code on the server, compromising the site’s security.

Who is affected by CVE-2026-49113?

Any WordPress site using the Cornerstone plugin version below 7.8.8 is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to execute arbitrary code.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Cornerstone plugin installed on your WordPress site. If it is below 7.8.8, your site is vulnerable and should be updated immediately.

What is the recommended fix for this vulnerability?

The primary fix is to upgrade the Cornerstone plugin to version 7.8.8 or higher, which contains a patch for this vulnerability. Additionally, review your site’s security practices to ensure proper input validation and sanitization.

What does a CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impacts, including full site compromise, loss of data confidentiality, integrity, and availability.

What is the proof of concept for this vulnerability?

The proof of concept involves an authenticated Subscriber sending a POST request to an AJAX endpoint with malicious PHP code embedded in a parameter. This code is then executed by the plugin, demonstrating the vulnerability’s impact.

What are the potential impacts of exploitation?

If exploited, an attacker can execute arbitrary PHP code, leading to full site compromise. This includes accessing and modifying the database, uploading malicious files, and potentially affecting other applications on the same server.

How can I further secure my WordPress site?

In addition to updating the Cornerstone plugin, consider implementing security measures such as regular backups, using security plugins, enforcing strong passwords, and limiting user permissions to reduce the risk of exploitation.

Is there a way to mitigate the risk if I cannot update immediately?

If an immediate update is not possible, consider disabling the Cornerstone plugin temporarily to prevent exploitation. Additionally, monitor user activity closely and restrict access to the site as a precaution.

What is CWE-94 and how does it relate to this vulnerability?

CWE-94 refers to ‘Improper Control of Generation of Code’, which indicates that user input is improperly handled, allowing for code injection. This vulnerability falls under this classification due to unsafe execution of user-supplied input.

Published : June 14, 2026

CVE-2026-49113: Cornerstone < 7.8.8 Authenticated (Subscriber+) Arbitrary Code Execution PoC, Patch Analysis & Rule

Q: What is CVE-2026-49113?

CVE-2026-49113 is a high-severity vulnerability in the Cornerstone plugin for WordPress, allowing authenticated attackers with Subscriber-level access or higher to execute arbitrary code on the server. This vulnerability affects all versions of the plugin prior to 7.8.8.

CVE ID CVE-2026-49113

Plugin cornerstone

Severity High (CVSS 8.8)

CWE 94

Vulnerable Version 7.8.8

Patched Version —

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49113 (metadata-based):

This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary code on the server. The affected component is the Cornerstone plugin for WordPress versions below 7.8.8. The CVSS 3.1 score is 8.8 (High) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network exploitation, low complexity, low privileges required, no user interaction, and full compromise of confidentiality, integrity, and availability.

Root Cause: The vulnerability is classified as CWE-94: Improper Control of Generation of Code (Code Injection). Based on this classification and the description, Atomic Edge research infers that the plugin passes user-supplied input into an insecure `eval()`, `create_function()`, `call_user_func()`, or similar PHP code execution function without proper sanitization. This likely occurs in the plugin’s page builder or template rendering engine, where shortcodes, CSS/JS injections, or dynamic data binding features accept input from authenticated users and process it as executable code. Without source code access, Atomic Edge cannot confirm the exact vulnerable function, but the CWE suggests a direct code injection pattern where attacker-controlled strings are interpolated into PHP code constructs.

Exploitation: Atomic Edge analysis indicates the attack vector involves an authenticated Subscriber sending a crafted request to a WordPress AJAX endpoint or REST API route exposed by the Cornerstone plugin. The likely endpoint is `/wp-admin/admin-ajax.php` with an action parameter like `cornerstone_save`, `cornerstone_render`, or `cornerstone_load`. The attacker sends a POST request containing malicious PHP code (for example, `system(‘id’)` or `file_put_contents(‘/wp-content/uploads/shell.php’, ”)`) within a parameter that the plugin processes as a template or dynamic content value. The plugin then unsafely evaluates this input, executing the injected code on the server. No nonce bypass is required because the vulnerability exists even with valid authentication.

Remediation: The fix for CWE-94 code injection requires the plugin to replace all instances of dynamic code execution (eval, create_function, call_user_func with unsanitized input) with safe alternatives. The plugin should validate and sanitize any user-supplied data before processing it. If dynamic template rendering is necessary, the plugin should employ a sandboxed template engine (like Twig) that does not allow arbitrary PHP execution. Atomic Edge recommends upgrading to Cornerstone version 7.8.8 or higher, which contains the patch.

Impact: Successful exploitation gives an authenticated attacker with low privileges (Subscriber) the ability to execute arbitrary PHP code on the WordPress server. This leads to full site compromise: the attacker can access and modify the database, execute system commands, upload malicious files, create administrative users, and pivot to other applications on the same server. Data confidentiality is lost, integrity is compromised, and availability may be affected if the attacker corrupts the site or deletes critical files.

Frequently Asked Questions

What is CVE-2026-49113?
Overview of the vulnerability
CVE-2026-49113 is a high-severity vulnerability in the Cornerstone plugin for WordPress, allowing authenticated attackers with Subscriber-level access or higher to execute arbitrary code on the server. This vulnerability affects all versions of the plugin prior to 7.8.8.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted requests to WordPress AJAX endpoints, where user-supplied input is processed unsafely. This can lead to the execution of malicious PHP code on the server, compromising the site’s security.
Who is affected by CVE-2026-49113?
Identifying vulnerable users
Any WordPress site using the Cornerstone plugin version below 7.8.8 is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to execute arbitrary code.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Cornerstone plugin installed on your WordPress site. If it is below 7.8.8, your site is vulnerable and should be updated immediately.
What is the recommended fix for this vulnerability?
Mitigation steps
The primary fix is to upgrade the Cornerstone plugin to version 7.8.8 or higher, which contains a patch for this vulnerability. Additionally, review your site’s security practices to ensure proper input validation and sanitization.
What does a CVSS score of 8.8 mean?
Understanding the risk level
A CVSS score of 8.8 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impacts, including full site compromise, loss of data confidentiality, integrity, and availability.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept involves an authenticated Subscriber sending a POST request to an AJAX endpoint with malicious PHP code embedded in a parameter. This code is then executed by the plugin, demonstrating the vulnerability’s impact.
What are the potential impacts of exploitation?
Consequences of a successful attack
If exploited, an attacker can execute arbitrary PHP code, leading to full site compromise. This includes accessing and modifying the database, uploading malicious files, and potentially affecting other applications on the same server.
How can I further secure my WordPress site?
Best practices for WordPress security
In addition to updating the Cornerstone plugin, consider implementing security measures such as regular backups, using security plugins, enforcing strong passwords, and limiting user permissions to reduce the risk of exploitation.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary protective measures
If an immediate update is not possible, consider disabling the Cornerstone plugin temporarily to prevent exploitation. Additionally, monitor user activity closely and restrict access to the site as a precaution.
What is CWE-94 and how does it relate to this vulnerability?
Understanding the classification
CWE-94 refers to ‘Improper Control of Generation of Code’, which indicates that user input is improperly handled, allowing for code injection. This vulnerability falls under this classification due to unsafe execution of user-supplied input.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations