CVE-2026-54185: WordPress Cornerstone plugin < 7.8.8 - SQL Injection vulnerability
Subscriber SQL Injection in Cornerstone < 7.8.8 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- 7.8.8
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the WordPress Cornerstone plugin affects all versions below 7.8.8. The flaw is reachable over the network and requires only a low-privilege (subscriber-level) account to exploit, with no further user interaction needed. Successful exploitation gives an attacker read access to sensitive database contents across any site running the affected plugin, and can also partially disrupt service availability. A patched-image rebuild at version 7.8.8 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Cornerstone plugin. Any image layer containing a Cornerstone version below 7.8.8 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 8.5 HIGH and weights it against each customer environment's compliance policy, accounting for factors such as whether the affected image is internet-exposed. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Cornerstone 7.8.8 becomes available on HarborGuard once the fix version is confirmed in the upstream advisory, as it is here. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS.
- AuthenticationRequired
A low-privilege account (subscriber-level or equivalent) is sufficient; no administrative access is needed.
- Victim interactionNot required
The attacker does not need to trick any user into taking an action; the injection can be triggered directly.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required.
Blast Radius
- Reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data.
- The scope extends beyond the vulnerable component itself (S:C), meaning data from other applications sharing the same database server may also be exposed.
- Partial disruption of service availability is possible, for example through resource-exhausting queries that slow or crash database responses.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-54185 runs against all images in connected registries and CI pipelines, covering custom WordPress images that bundle the Cornerstone plugin. For environments where the affected version is present, a rebuild at Cornerstone 7.8.8 is ready to deploy. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the PR and supporting scan report are queued for engineer approval. Customers not yet on auto-remediation should prioritize upgrading any image that bundles Cornerstone below 7.8.8, and should consider restricting subscriber-level registration on affected WordPress sites as a compensating control until the patched image is deployed.
Fix available
- THEMECO / Cornerstone< 7.8.8 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L