CVE-2026-24369
Published: 25 March 2026
Summary
CVE-2026-24369 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for logical access, addressing the missing authorization vulnerability that allows low-privileged users to exploit incorrect access control levels in the plugin.
Remediates the specific flaw in The Grid plugin versions prior to 2.8.0 by identifying, reporting, and applying timely patches to prevent exploitation.
Limits privileges of low-privileged accounts like contributors, reducing the impact of exploitation on availability and integrity even if authorization checks fail.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) in a publicly accessible WordPress plugin directly enables remote exploitation of an internet-facing web application by low-privileged authenticated users, matching T1190. No other techniques are directly supported by the described impact or vulnerability type.
NVD Description
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Deeper analysisAI
CVE-2026-24369 is a missing authorization vulnerability (CWE-862) in the WordPress plugin "The Grid" developed by Theme-one. The flaw allows exploitation of incorrectly configured access control security levels in the "the-grid" component. It affects all versions of The Grid from n/a through those prior to 2.8.0. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating network accessibility with low attack complexity, low privileges required, no user interaction needed, and impacts primarily to availability (high) and integrity (low).
A low-privileged remote attacker, such as a WordPress user with contributor-level access or similar, can exploit this vulnerability over the network without user interaction. Successful exploitation enables the attacker to achieve high disruption to availability, such as causing denial-of-service conditions, alongside low-level integrity violations, potentially allowing limited unauthorized modifications, while confidentiality remains unaffected.
The Patchstack advisory for this vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability-2?_s_id=cve, indicates that the issue was addressed in version 2.8.0 of the plugin. Security practitioners should recommend immediate updates to The Grid 2.8.0 or later for affected WordPress installations to mitigate the risk.
Details
- CWE(s)