Description
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a missing authorization flaw in Theme‑one The Grid plugin that allows an attacker to exploit incorrectly configured access control levels. Because the plugin does not enforce proper permissions, a user with lower privileges may gain access to administrative functions or content that should be restricted. This results in unauthorized data modification or exposure, compromising the integrity and confidentiality of the WordPress site.

Affected Systems

Theme‑one’s The Grid plugin is affected in all releases prior to version 2.8.0, including any unspecified earlier build. Users running any version older than 2.8.0 are at risk, as the issue is present from the first available version up to just before 2.8.0.

Risk and Exploitability

The CVSS score of 8.8 marks this as a high‑severity vulnerability, and although the EPSS score is under 1 %, indicating a low probability of current exploitation, the flaw remains actionable. The vulnerability can be exploited remotely via web requests that the plugin processes, and it is not listed in the CISA KEV catalog. Attackers who can interact with the plugin’s endpoints can bypass role checks and elevate their privileges, potentially affecting the entire WordPress installation.

Generated by OpenCVE AI on April 16, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Theme‑one The Grid to version 2.8.0 or later to apply the vendor‑provided fix.
  • If an upgrade is not immediately possible, limit the plugin’s access by assigning only administrator roles to users who need to use it and remove or reduce permissions for all other roles.
  • As a temporary measure, disable the plugin or restrict its endpoints via the web server or firewall until the update can be deployed.

Generated by OpenCVE AI on April 16, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Title WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.899Z

Reserved: 2026-01-22T14:42:32.873Z

Link: CVE-2026-24368

cve-icon Vulnrichment

Updated: 2026-01-23T16:48:13.313Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:40.303

Modified: 2026-04-23T15:36:43.277

Link: CVE-2026-24368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses