CVE-2026-24370
Received Received - Intake
Stored XSS in The Grid Theme ≀ 2.8.0 Enables Code Injection

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through < 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24370
EUVD
EUVD-2026-15565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theme-one the_grid to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-site Scripting (XSS) issue in the Theme-one The Grid plugin. It occurs due to improper neutralization of input during web page generation, which means that malicious scripts can be injected and stored by the application. When other users view the affected pages, the malicious scripts can execute in their browsers.

Impact Analysis

The impact of this vulnerability includes the potential for attackers to execute malicious scripts in the context of users' browsers. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of users, and possible compromise of user accounts or site integrity.

Compliance Impact

The vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into websites using the vulnerable plugin. Such vulnerabilities can lead to unauthorized access or manipulation of user data, which may impact compliance with data protection regulations like GDPR or HIPAA by potentially exposing personal or sensitive information.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with specific standards or regulations.

Detection Guidance

This vulnerability allows attackers to inject malicious scripts into websites using the vulnerable plugin. Detection involves monitoring for unusual script injections or unexpected HTML payloads in web pages generated by The Grid plugin versions prior to 2.8.0.

Since exploitation requires user interaction, such as clicking a malicious link or submitting a form, monitoring logs for suspicious user activities or unexpected input submissions can help detect attempts.

Specific commands are not provided in the available resources, but general approaches include scanning web application logs for suspicious input patterns, using web vulnerability scanners that detect stored XSS, or employing security tools that monitor for script injections.

Mitigation Strategies

The primary immediate step is to update The Grid plugin to version 2.8.0 or later, where the vulnerability is patched.

Until the update can be applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which users are advised to implement.

Additionally, users can enable automatic updates and rapid mitigation services offered by Patchstack to protect affected sites.

Monitoring and restricting privileged user actions that could trigger exploitation can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart