CVE-2025-66311 – This stored XSS vulnerability in Grav's admin p... (How to Fix)

Q: What is the severity of CVE-2025-66311?

CVE-2025-66311 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into page metadata fields. When an administrator views or edits an affected page, the scripts execute automatically in their browser session. This affects all Grav installations using the admin plugin before version 1.11.0-beta.1.

📋 TL;DR

This stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into page metadata fields. When an administrator views or edits an affected page, the scripts execute automatically in their browser session. This affects all Grav installations using the admin plugin before version 1.11.0-beta.1.

💻 Affected Systems

Products:

Grav CMS
Grav Admin Plugin

Versions: All versions before 1.11.0-beta.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the admin plugin enabled. Requires admin-level access to exploit.

📦 What is this software?

Grav Plugin Admin by Getgrav

View all CVEs affecting Grav Plugin Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to complete site takeover, data theft, or server-side code execution through chained attacks.

🟠

Likely Case

Session hijacking of admin accounts, unauthorized content modification, or credential theft from administrators.

🟢

If Mitigated

Limited to admin interface disruption or minor data manipulation if proper access controls and input validation are in place.

🌐 Internet-Facing: MEDIUM - Requires admin access but can be exploited if admin interface is exposed to internet.

🏢 Internal Only: MEDIUM - Internal attackers with admin access or compromised admin accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges. The vulnerability is in specific admin endpoints with clear injection points.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0-beta.1

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg

Restart Required: No

Instructions:

1. Update Grav admin plugin to version 1.11.0-beta.1 or later. 2. Run 'bin/gpm update' from Grav root directory. 3. Clear Grav cache if needed.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation for metadata, category, and tag fields to strip HTML/JavaScript content.

Modify Grav plugins or themes to sanitize input in affected fields

Restrict Admin Access

all

Limit admin interface access to trusted IP addresses only.

Configure web server (Apache/Nginx) to restrict /admin path to specific IPs

🧯 If You Can't Patch

Disable admin plugin if not required for operations
Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check admin plugin version in Grav admin dashboard or via 'bin/gpm version' command.

Check Version:

php bin/gpm version | grep 'Admin Plugin'

Verify Fix Applied:

Verify admin plugin version is 1.11.0-beta.1 or higher. Test injection attempts in metadata fields to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/pages/* with script tags in parameters
Multiple failed admin login attempts followed by successful access

Network Indicators:

HTTP requests containing script tags in metadata, category, or tag parameters to admin endpoints

SIEM Query:

web.url:"/admin/pages/*" AND (web.param:"data[header][metadata]" OR web.param:"data[header][taxonomy][category]" OR web.param:"data[header][taxonomy][tag]") AND (web.param:*"<script>"* OR web.param:*"javascript:"*)

📊 Metadata

CVE ID: CVE-2025-66311

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: December 1, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg Exploit,Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66311, you might also want to check these: