An authenticated SQL injection vulnerability in the Cornerstone page builder poses a high risk of unauthorized database manipulation and information disclosure.

The vulnerability is caused by improper sanitization of parameters within the Cornerstone plugin, allowing authenticated subscribers to inject malicious SQL commands. This could lead to unauthorized database access or modification.

The CVSS score of 8.5 underscores the severity of this vulnerability. Successful exploitation could allow an attacker to bypass security controls, leading to the unauthorized disclosure of sensitive information or the modification of site content, impacting business integrity and availability.

Immediate Action: Apply the latest available security patch for the Cornerstone page builder immediately.

Proactive Monitoring: Monitor application and database logs for suspicious SQL syntax or abnormal query execution times associated with subscriber accounts.

Compensating Controls: Utilize a WAF to inspect and filter incoming traffic for SQL injection strings, providing a temporary layer of protection while updates are being deployed.

Public Exploit Available: false

Immediate remediation is required to mitigate this threat. Organizations should verify their current version of Cornerstone and coordinate the update process to ensure all instances are secured against potential unauthorized access.