{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24369", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-03-25T16:14:31.699Z", "dateUpdated": "2026-03-25T16:14:31.699Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-grid", "product": "The Grid", "vendor": "Theme-one", "versions": [{"changes": [{"at": "2.8.0", "status": "unaffected"}], "lessThanOrEqual": "< 2.8.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:14.012Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Grid: from n/a through < 2.8.0.</p>"}], "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.699Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0."}], "id": "CVE-2026-24369", "lastModified": "2026-03-25T17:16:37.383", "metrics": {}, "published": "2026-03-25T17:16:37.383", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:04:33.769292+00:00", "value": {"mitigation_remediation": ["Update The Grid plugin to version 2.8.0 or newer", "If an update cannot be applied right away, deactivate the plugin until a patch is available", "Review site content and settings for unauthorized changes"], "summary": {"action": "Patch immediately", "impact": "Unrestricted access allowing unauthorized manipulation of plugin content and settings"}, "threat_synthesis": {"affected_systems": "Theme\u2011one The Grid plugin versions earlier than 2.8.0 are affected, including all releases from the initial release through any pre\u20112.8.0 build. Any site running one of these versions is vulnerable.", "description_and_impact": "The GRiD plugin for WordPress contains a missing authorization flaw that lets users reach privileged functions without being logged in. This broken access control lets an attacker create, edit, or delete content and alter configuration settings, undermining the integrity and possibly the confidentiality of the site. The weakness is identified as CWE\u2011862, a lack of proper authorization checks.", "risk_and_exploitability": "An exact exploit probability is not disclosed, and the issue is not listed in the CISA KEV catalog, but the potential impact is high. The likely attack path is through the WordPress administration interface where the plugin\u2019s settings pages are accessed. Once an attacker obtains access to those pages or can forge requests, they can create, modify, or delete content and change site configuration."}}}}, "created": "2026-03-25T21:34:49.833280+00:00", "updated": "2026-03-25T21:34:49.833306+00:00", "vendors": []}