Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through < 2.8.0.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in Theme-one's The Grid WordPress plugin versions prior to 2.8.0, allowing attackers to inject and persist malicious scripts that execute in the browsers of other users viewing affected pages. An authenticated or unauthenticated attacker can exploit improper input neutralization during web page generation to inject arbitrary JavaScript code. While no CVSS score, EPSS probability, or KEV status has been assigned, the vulnerability is confirmed by Patchstack and carries significant risk given the stored nature of the XSS and the plugin's widespread WordPress ecosystem adoption.
Technical ContextAI
The Grid (cpe:2.3:a:theme-one:the_grid:*:*:*:*:*:*:*:*) is a WordPress plugin that generates dynamic grid-based layouts. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is not properly sanitized or escaped before being rendered in HTML output. Rather than implementing robust input validation and context-aware output encoding (HTML entity encoding, JavaScript escaping, or Content Security Policy), the plugin directly incorporates user input into page generation logic. This allows attackers to bypass client-side and server-side filtering, resulting in persistent XSS payloads that execute whenever affected content is viewed.
RemediationAI
Immediately upgrade Theme-one The Grid to version 2.8.0 or later, which contains the fix for this Stored XSS vulnerability. Site administrators should log into their WordPress dashboard, navigate to Plugins > Installed Plugins, locate "The Grid," and click "Update" if available. For sites unable to patch immediately, implement the following temporary mitigations: (1) Disable The Grid plugin until the patch is deployed; (2) Restrict access to The Grid configuration and content creation pages to trusted administrators only via IP whitelisting or authentication plugins; (3) Deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads in POST/GET parameters; (4) Enable WordPress security plugins with output escaping enhancements; (5) Audit existing grid content for malicious scripts and sanitize if necessary. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-cross-site-scripting-xss-vulnerability for detailed patch notes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15565
GHSA-ghg5-chx7-mwc9