Cyber Resilience

CVE-2026-24368

Medium

Published: 22 January 2026

Published
22 January 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0019 8.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-24368 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24368 is a missing authorization vulnerability (CWE-862) in the WordPress plugin "The Grid" developed by Theme-one. The flaw allows exploitation of incorrectly configured access control security levels within the plugin's the-grid component. It affects all versions of The Grid from n/a through those prior to 2.8.0. The vulnerability received a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to low-impact confidentiality exposure.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation enables unauthenticated access to limited confidential information, without affecting integrity or availability.

Patchstack advisories detail the broken access control vulnerability in the WordPress The Grid plugin and recommend updating to version 2.8.0 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directly enables remote exploitation of a public-facing WordPress plugin via broken access control (missing authorization) for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to information, which the plugin failed to implement for the-grid component.

prevent

Requires timely remediation of identified flaws such as the missing authorization bug fixed in version 2.8.0.

prevent

Enforces least-privilege assignments so that unauthenticated users cannot reach even limited confidential data exposed by the misconfigured plugin.

References