{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24368", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-01-22T16:52:45.439Z", "dateUpdated": "2026-04-28T16:14:48.080Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-grid", "product": "The Grid", "vendor": "Theme-one", "versions": [{"changes": [{"at": "2.8.0", "status": "unaffected"}], "lessThanOrEqual": "2.8.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:09.944Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Grid: from n/a through < 2.8.0.</p>"}], "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.080Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:00:22.903775Z", "id": "CVE-2026-24368", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:00:25.463Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24368", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-01-22T16:52:45.439Z", "dateUpdated": "2026-04-28T14:00:25.463Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-grid", "product": "The Grid", "vendor": "Theme-one", "versions": [{"changes": [{"at": "2.8.0", "status": "unaffected"}], "lessThanOrEqual": "2.8.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:09.944Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Grid: from n/a through < 2.8.0.</p>"}], "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.899Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:00:22.903775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:48:13.313Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Theme-one The Grid the-grid permite explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a The Grid: desde n/a hasta &lt; 2.8.0."}], "id": "CVE-2026-24368", "lastModified": "2026-04-28T15:16:06.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:40.303", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T17:58:23.017275+00:00", "value": {"mitigation_remediation": ["Upgrade Theme\u2011one The Grid to version\u202f2.8.0 or later to apply the vendor\u2011provided fix.", "If an upgrade is not immediately possible, limit the plugin\u2019s access by assigning only administrator roles to users who need to use it and remove or reduce permissions for all other roles.", "As a temporary measure, disable the plugin or restrict its endpoints via the web server or firewall until the update can be deployed."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Theme\u2011one\u2019s The Grid plugin is affected in all releases prior to version\u202f2.8.0, including any unspecified earlier build. Users running any version older than 2.8.0 are at risk, as the issue is present from the first available version up to just before 2.8.0.", "description_and_impact": "The vulnerability is a missing authorization flaw in Theme\u2011one The Grid plugin that allows an attacker to exploit incorrectly configured access control levels. Because the plugin does not enforce proper permissions, a user with lower privileges may gain access to administrative functions or content that should be restricted. This results in unauthorized data modification or exposure, compromising the integrity and confidentiality of the WordPress site.", "risk_and_exploitability": "The CVSS score of 5.3 marks this as a medium\u2011severity vulnerability, and although the EPSS score is under 1\u202f%, indicating a low probability of current exploitation, the flaw remains actionable. The vulnerability can be exploited remotely via web requests that the plugin processes, and it is not listed in the CISA KEV catalog. Attackers who can interact with the plugin\u2019s endpoints can bypass role checks and elevate their privileges, potentially affecting the entire WordPress installation."}}}}, "created": "2026-01-23T16:28:15.982151+00:00", "updated": "2026-04-28T18:00:14.090221+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}