Description
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

A missing authorization flaw in the Grid plugin enables attackers to access or modify plugin data and site content that should be restricted. This broken access control leads to unauthorized changes, potentially compromising the entire site. The weakness is categorized as CWE-862.

Affected Systems

All WordPress installations that use Theme-one The Grid plugin version 2.7.x or earlier are vulnerable. The plugin’s affected range spans from its first release through any version prior to 2.8.0, regardless of the underlying WordPress version.

Risk and Exploitability

The CVSS score of 7.1 indicates medium‑high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog and no public exploits are documented. The likely attack vector is inferred from the missing authorization description: attackers can execute privileged operations by sending authenticated requests to the plugin’s API endpoints, which may be accessible to any user role that receives elevated capabilities.

Generated by OpenCVE AI on March 26, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Theme-one The Grid to version 2.8.0 or newer immediately.
  • Check plugin access control settings to ensure only administrators have permission to use the plugin.
  • Audit existing user roles and remove any unnecessary capabilities that grant access to the plugin.
  • If an upgrade cannot be performed right away, disable the plugin for all non-admin roles until a fix is applied.
  • Monitor site logs for unusual activity involving the plugin’s endpoints.

Generated by OpenCVE AI on March 26, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Theme-one
Theme-one the Grid
Wordpress
Wordpress wordpress
Vendors & Products Theme-one
Theme-one the Grid
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Title WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Theme-one The Grid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.966Z

Reserved: 2026-01-22T14:42:32.873Z

Link: CVE-2026-24369

cve-icon Vulnrichment

Updated: 2026-03-26T19:41:43.188Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:37.383

Modified: 2026-04-23T15:36:43.423

Link: CVE-2026-24369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:28Z

Weaknesses