How is CVE-2026-49113 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; the vulnerable endpoint is exposed via the standard HTTP interface. Authentication (required): A low-privilege account (subscriber-level or equivalent) is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user interaction is required; the attacker exploits the endpoint directly without involving another authenticated user. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or timing constraints, such as a particular server configuration or race condition, to succeed reliably.

What is the impact of CVE-2026-49113?

The attacker executes arbitrary code under the web server process, gaining a foothold on the underlying host. Confidentiality impact is high: the attacker reads files, environment variables, database credentials, and session tokens accessible to the web process, including data outside the WordPress installation due to the changed scope. Integrity impact is high: the attacker writes or modifies files, database records, and configurations on the server. Availability impact is high: the attacker can crash or disable the WordPress application or consume host resources, taking the site offline.

Back to search

HIGHCVE-2026-49113Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-49113: WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability

Q: What is CVE-2026-49113?

An arbitrary code execution vulnerability affects the Cornerstone WordPress plugin in versions before 7.8.8. A remote attacker with a low-privilege (subscriber-level) account can reach the vulnerable endpoint over the network without requiring any victim interaction, exploiting a high-complexity condition to run arbitrary code on the server. Successful exploitation gives the attacker full read, write, and availability impact on the hosting environment, including data outside the WordPress installation itself. A patched-image rebuild at version 7.8.8 is available on HarborGuard for environments running an affected version of Cornerstone.

Q: How is CVE-2026-49113 fixed?

A patched-image rebuild at Cornerstone 7.8.8 becomes available on HarborGuard the moment the fix version is confirmed in the upstream advisory. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: 7.8.8
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary code execution vulnerability affects the Cornerstone WordPress plugin in versions before 7.8.8. A remote attacker with a low-privilege (subscriber-level) account can reach the vulnerable endpoint over the network without requiring any victim interaction, exploiting a high-complexity condition to run arbitrary code on the server. Successful exploitation gives the attacker full read, write, and availability impact on the hosting environment, including data outside the WordPress installation itself. A patched-image rebuild at version 7.8.8 is available on HarborGuard for environments running an affected version of Cornerstone.

HarborGuard Coverage

Detection

Detection of CVE-2026-49113 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI pipelines, covering custom-built images that bundle the Cornerstone plugin.

Available

Triage

HarborGuard scores this CVE at 8.5 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to prioritize routing; alerts are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Cornerstone 7.8.8 becomes available on HarborGuard the moment the fix version is confirmed in the upstream advisory. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; the vulnerable endpoint is exposed via the standard HTTP interface.
AuthenticationRequired
A low-privilege account (subscriber-level or equivalent) is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user interaction is required; the attacker exploits the endpoint directly without involving another authenticated user.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or timing constraints, such as a particular server configuration or race condition, to succeed reliably.

Blast Radius

The attacker executes arbitrary code under the web server process, gaining a foothold on the underlying host.
Confidentiality impact is high: the attacker reads files, environment variables, database credentials, and session tokens accessible to the web process, including data outside the WordPress installation due to the changed scope.
Integrity impact is high: the attacker writes or modifies files, database records, and configurations on the server.
Availability impact is high: the attacker can crash or disable the WordPress application or consume host resources, taking the site offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49113 is active across all connected registries and pipelines, matching any image that bundles Cornerstone below version 7.8.8. For environments where a fix is available, a rebuilt image at Cornerstone 7.8.8 is prepared and surfaced in the HarborGuard dashboard. Customers with auto-remediation enabled receive a full rebuild, an automated regression run, and a pull request opened against affected workloads; for high-severity issues at this score, the median time from CVE publication to merged patch PR is around 90 minutes in auto-remediation-enabled environments. Where compliance policy does not permit automatic remediation, the dashboard surfaces the affected images with a prioritized upgrade recommendation. As an interim compensating control, teams can consider restricting subscriber-level account registration on the WordPress instance and applying network-layer access controls to limit exposure of the Cornerstone endpoint to trusted IP ranges while the upgrade is scheduled.

See how HarborGuard automates this

Fix available

7.8.8

Affected packages

THEMECO / Cornerstone
< 7.8.8 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available