Skip to main content

The Grid CVE-2026-24370

| EUVDEUVD-2026-15565 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-ghg5-chx7-mwc9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.8.0
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15565
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through < 2.8.0.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in Theme-one's The Grid WordPress plugin versions prior to 2.8.0, allowing attackers to inject and persist malicious scripts that execute in the browsers of other users viewing affected pages. An authenticated or unauthenticated attacker can exploit improper input neutralization during web page generation to inject arbitrary JavaScript code. While no CVSS score, EPSS probability, or KEV status has been assigned, the vulnerability is confirmed by Patchstack and carries significant risk given the stored nature of the XSS and the plugin's widespread WordPress ecosystem adoption.

Technical ContextAI

The Grid (cpe:2.3:a:theme-one:the_grid:*:*:*:*:*:*:*:*) is a WordPress plugin that generates dynamic grid-based layouts. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is not properly sanitized or escaped before being rendered in HTML output. Rather than implementing robust input validation and context-aware output encoding (HTML entity encoding, JavaScript escaping, or Content Security Policy), the plugin directly incorporates user input into page generation logic. This allows attackers to bypass client-side and server-side filtering, resulting in persistent XSS payloads that execute whenever affected content is viewed.

RemediationAI

Immediately upgrade Theme-one The Grid to version 2.8.0 or later, which contains the fix for this Stored XSS vulnerability. Site administrators should log into their WordPress dashboard, navigate to Plugins > Installed Plugins, locate "The Grid," and click "Update" if available. For sites unable to patch immediately, implement the following temporary mitigations: (1) Disable The Grid plugin until the patch is deployed; (2) Restrict access to The Grid configuration and content creation pages to trusted administrators only via IP whitelisting or authentication plugins; (3) Deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads in POST/GET parameters; (4) Enable WordPress security plugins with output escaping enhancements; (5) Audit existing grid content for malicious scripts and sanitize if necessary. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-cross-site-scripting-xss-vulnerability for detailed patch notes.

Share

CVE-2026-24370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy