CVE-2025-66308 – A stored XSS vulnerability in Grav's admin plug... (How to Fix)

Q: What is the severity of CVE-2025-66308?

CVE-2025-66308 has a CVSS score of 5.4 (MEDIUM). A stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into the site configuration's taxonomies parameter. The payload persists on the server and executes automatically when users access the affected configuration page, creating a persistent attack vector. This affects all Grav installations using the admin plugin before version 1.11.0-beta.1.

📋 TL;DR

A stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into the site configuration's taxonomies parameter. The payload persists on the server and executes automatically when users access the affected configuration page, creating a persistent attack vector. This affects all Grav installations using the admin plugin before version 1.11.0-beta.1.

💻 Affected Systems

Products:

Grav CMS
Grav Admin Plugin

Versions: All versions prior to 1.11.0-beta.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin plugin to be installed and enabled. The vulnerability is in the /admin/config/site endpoint.

📦 What is this software?

Grav Plugin Admin by Getgrav

View all CVEs affecting Grav Plugin Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized administrative access and potential website compromise.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though stored XSS remains dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the admin interface. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0-beta.1

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f

Restart Required: No

Instructions:

1. Update Grav admin plugin to version 1.11.0-beta.1 or later. 2. Run 'bin/gpm update' from Grav's root directory. 3. Clear any cached data.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for the data[taxonomies] parameter to reject malicious scripts.

Output Encoding

all

Apply proper HTML encoding to all user-controlled data before rendering in the admin interface.

🧯 If You Can't Patch

Restrict admin access to trusted IP addresses only
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if Grav admin plugin version is below 1.11.0-beta.1 by examining the plugin's version file or admin interface.

Check Version:

grep -r 'version' user/plugins/admin/admin.php | head -1

Verify Fix Applied:

Verify the admin plugin version is 1.11.0-beta.1 or higher and test the /admin/config/site endpoint with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/config/site with script tags in parameters
Multiple failed login attempts followed by successful admin access

Network Indicators:

Unexpected JavaScript execution in admin interface
Outbound connections to suspicious domains from admin sessions

SIEM Query:

source="web_access_logs" AND uri_path="/admin/config/site" AND (http_method="POST" OR http_method="PUT") AND (param_data CONTAINS "<script>" OR param_data CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-66308

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: December 1, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f Exploit,Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66308, you might also want to check these: