CVE-2025-66307 – This vulnerability in Grav's admin plugin allow... (How to Fix)

Q: What is the severity of CVE-2025-66307?

CVE-2025-66307 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Grav's admin plugin allows attackers to enumerate valid usernames and discover associated email addresses through the 'Forgot Password' functionality. Attackers can leverage this information for targeted attacks like password spraying and phishing. All Grav installations using the admin plugin before version 1.11.0-beta.1 are affected.

📋 TL;DR

This vulnerability in Grav's admin plugin allows attackers to enumerate valid usernames and discover associated email addresses through the 'Forgot Password' functionality. Attackers can leverage this information for targeted attacks like password spraying and phishing. All Grav installations using the admin plugin before version 1.11.0-beta.1 are affected.

💻 Affected Systems

Products:

Grav CMS with Admin Plugin

Versions: All versions prior to 1.11.0-beta.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin plugin to be installed and enabled. The vulnerability exists in the admin interface's forgot password functionality.

📦 What is this software?

Grav Plugin Admin by Getgrav

View all CVEs affecting Grav Plugin Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers build comprehensive user directories, execute targeted password spraying attacks leading to account compromise, and conduct sophisticated phishing campaigns using verified email addresses.

🟠

Likely Case

Attackers enumerate administrative users, discover their email addresses, and use this information for targeted phishing or password spraying against the Grav admin interface.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the /admin/forgot endpoint and observing response differences. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0-beta.1

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7

Restart Required: No

Instructions:

1. Update Grav admin plugin to version 1.11.0-beta.1 or later. 2. Use composer update getgrav/grav-plugin-admin or download from GitHub. 3. Clear cache if necessary.

🔧 Temporary Workarounds

Disable Admin Plugin

all

Temporarily disable the admin plugin to prevent exploitation of the forgot password endpoint.

Remove or rename the /user/plugins/admin directory

Web Application Firewall Rule

all

Block or rate-limit requests to /admin/forgot endpoint.

🧯 If You Can't Patch

Implement network-level restrictions to limit access to /admin endpoints to trusted IP addresses only.
Enable multi-factor authentication for all admin accounts to mitigate password spraying risks.

🔍 How to Verify

Check if Vulnerable:

Test the /admin/forgot endpoint with valid and invalid usernames. If responses differ (e.g., timing, error messages), the system is vulnerable.

Check Version:

Check composer.lock for "getgrav/grav-plugin-admin" version or inspect plugin directory version file.

Verify Fix Applied:

After patching, test the /admin/forgot endpoint - responses should be identical regardless of username validity.

📡 Detection & Monitoring

Log Indicators:

Multiple failed requests to /admin/forgot with different usernames
Unusual patterns of forgot password attempts

Network Indicators:

High volume of POST requests to /admin/forgot endpoint
Requests from unusual IP addresses to admin interface

SIEM Query:

source="web_logs" AND uri="/admin/forgot" AND (status=200 OR status=400) | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2025-66307

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-204

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: December 1, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7 Exploit,Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66307, you might also want to check these: