CVE-2025-66310
📋 TL;DR
A stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into page templates. These scripts execute automatically when affected content is viewed in the admin interface or frontend. All Grav installations using the admin plugin before version 1.11.0-beta.1 are affected.
💻 Affected Systems
- Grav CMS
- Grav Admin Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform actions as administrators, deface websites, or redirect users to malicious sites.
Likely Case
Session hijacking of admin users leading to unauthorized content modification or data theft.
If Mitigated
Limited impact with proper input validation and output encoding in place.
🎯 Exploit Status
Exploitation requires admin access to inject payload via template parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.0-beta.1
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj
Restart Required: No
Instructions:
1. Update Grav admin plugin to version 1.11.0-beta.1 or later. 2. Run 'bin/gpm update' from Grav root directory. 3. Clear Grav cache if needed.
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom validation to sanitize template parameter inputs
Implement custom validation in user/plugins/admin/admin.php
🧯 If You Can't Patch
- Restrict admin access to trusted users only
- Implement WAF rules to block XSS payloads in template parameters
🔍 How to Verify
Check if Vulnerable:
Check admin plugin version in user/plugins/admin/admin.php or via Grav admin panelCheck Version:
php bin/gpm version | grep adminVerify Fix Applied:
Verify admin plugin version is 1.11.0-beta.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual template parameter values in page edit logs
- Multiple failed admin login attempts
Network Indicators:
- Suspicious JavaScript payloads in HTTP POST to /admin/pages/ endpoints
SIEM Query:
source="grav_logs" AND ("data[header][template]" CONTAINS "<script>" OR "javascript:")