Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
7DescriptionCVE.org
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
AnalysisAI
The Grid WordPress plugin versions prior to 2.8.0 contain a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels. This broken access control flaw enables unauthorized users to bypass authentication mechanisms and access functionality or data they should not have permission to reach. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15563, indicating active tracking by vulnerability databases.
Technical ContextAI
The Grid is a WordPress plugin (CPE: cpe:2.3:a:theme-one:the_grid:*:*:*:*:*:*:*:*) that provides grid-based layout and content management functionality. The vulnerability stems from CWE-862 (Missing Authorization), which represents a failure to properly enforce access control checks before allowing users to perform sensitive operations or access protected resources. This occurs when the plugin does not adequately validate user roles, capabilities, or permissions before executing privileged actions, allowing attackers to bypass WordPress's standard role-based access control (RBAC) model. The flaw affects The Grid from unspecified early versions through version 2.7.x, suggesting the security configuration has been inadequately implemented across multiple release cycles.
RemediationAI
Immediately upgrade The Grid to version 2.8.0 or later, which addresses the missing authorization vulnerability. Users should verify the upgrade through the WordPress plugin dashboard and confirm the active version matches 2.8.0+. If immediate patching is not feasible, administrators should restrict plugin functionality by disabling the vulnerable features or limiting access to the plugin's dashboard to trusted administrator accounts only via WordPress role management. Review user permissions and audit any suspicious access logs for signs of unauthorized use. The vulnerability details and patch confirmation are available on the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability-2?_s_id=cve.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15563
GHSA-fh76-q46q-x23c