Improper neutralization of user input leads to stored cross‑site scripting in the WordPress "The Grid" plugin. Malicious code can be inserted through plugin input fields and later executed in the browsers of any user who views the affected content, potentially allowing credential theft, session hijacking, or defacement. The weakness is a classic example of input validation failure. The impact is limited to sites running the vulnerable plugin, but it can affect any visitor to the site, compromising confidentiality and integrity of user sessions. The vulnerability does not grant arbitrary code execution on the server, but it can influence user interactions and data. The CVE description explicitly states a stored XSS flaw.

The Grid plugin by Theme‑one, a WordPress content‑grid solution. All releases with a version less than 2.8.0 are affected, as the issue applies to "n/a through < 2.8.0". Users of the plugin in any environment should verify whether they have an older version. No newer versions have been identified as vulnerable.

The CVSS score of 6.5 places the flaw in the moderate range. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. The likely attack vector is remote via the web, with an attacker injecting code into content that is later served to other users. Exploitation requires only that the site owner fails to mitigate the input, and it does not need authenticated access. Because the flaw is stored, a single upload or content edit by an attacker can affect all users who view that content, making the risk significant for sites with many visitors.