Skip to main content

The Grid CVE-2026-24369

| EUVDEUVD-2026-15563 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-fh76-q46q-x23c
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.8.0
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15563
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.

AnalysisAI

The Grid WordPress plugin versions prior to 2.8.0 contain a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels. This broken access control flaw enables unauthorized users to bypass authentication mechanisms and access functionality or data they should not have permission to reach. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15563, indicating active tracking by vulnerability databases.

Technical ContextAI

The Grid is a WordPress plugin (CPE: cpe:2.3:a:theme-one:the_grid:*:*:*:*:*:*:*:*) that provides grid-based layout and content management functionality. The vulnerability stems from CWE-862 (Missing Authorization), which represents a failure to properly enforce access control checks before allowing users to perform sensitive operations or access protected resources. This occurs when the plugin does not adequately validate user roles, capabilities, or permissions before executing privileged actions, allowing attackers to bypass WordPress's standard role-based access control (RBAC) model. The flaw affects The Grid from unspecified early versions through version 2.7.x, suggesting the security configuration has been inadequately implemented across multiple release cycles.

RemediationAI

Immediately upgrade The Grid to version 2.8.0 or later, which addresses the missing authorization vulnerability. Users should verify the upgrade through the WordPress plugin dashboard and confirm the active version matches 2.8.0+. If immediate patching is not feasible, administrators should restrict plugin functionality by disabling the vulnerable features or limiting access to the plugin's dashboard to trusted administrator accounts only via WordPress role management. Review user permissions and audit any suspicious access logs for signs of unauthorized use. The vulnerability details and patch confirmation are available on the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability-2?_s_id=cve.

Share

CVE-2026-24369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy