CVE-2025-66312 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-66312?

CVE-2025-66312 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into group names. When administrators view the affected groups page, the scripts execute automatically, potentially compromising admin sessions. This affects Grav installations using the admin plugin before version 1.11.0-beta.1.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into group names. When administrators view the affected groups page, the scripts execute automatically, potentially compromising admin sessions. This affects Grav installations using the admin plugin before version 1.11.0-beta.1.

💻 Affected Systems

Products:

Grav CMS with Admin Plugin

Versions: All versions before 1.11.0-beta.1

Operating Systems: All platforms running Grav

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the admin plugin enabled and accessible to users with admin privileges.

📦 What is this software?

Grav Plugin Admin by Getgrav

View all CVEs affecting Grav Plugin Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as administrators, install backdoors, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers with admin access could inject persistent scripts that steal credentials or session tokens from other administrators viewing the groups page.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: MEDIUM - Grav admin interfaces are often exposed to the internet, but exploitation requires admin access to the vulnerable endpoint.

🏢 Internal Only: MEDIUM - Internal attackers with admin privileges could exploit this to escalate privileges or compromise other admin accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access to the /admin/accounts/groups/ endpoint to inject malicious payloads into the data[readableName] parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0-beta.1

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988

Restart Required: No

Instructions:

1. Update Grav admin plugin to version 1.11.0-beta.1 or later. 2. Run 'bin/gpm update' from Grav root directory. 3. Clear Grav cache if needed.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/JavaScript in group names

Implement custom validation in Grav plugins to strip script tags from group name inputs

Output Encoding

all

Apply proper output encoding when displaying group names in admin interface

Modify admin plugin templates to use htmlspecialchars() or equivalent when outputting group names

🧯 If You Can't Patch

Restrict access to the admin interface using IP whitelisting or VPN
Implement web application firewall (WAF) rules to block XSS payloads in group name parameters

🔍 How to Verify

Check if Vulnerable:

Check admin plugin version in Grav admin dashboard or via command line: php bin/gpm version admin

Check Version:

php bin/gpm version admin

Verify Fix Applied:

Verify admin plugin version is 1.11.0-beta.1 or later and test XSS payload injection in group names

📡 Detection & Monitoring

Log Indicators:

Unusual group name modifications containing script tags or JavaScript code
Multiple failed attempts to modify group names with special characters

Network Indicators:

POST requests to /admin/accounts/groups/ with script tags in parameters
Unusual traffic patterns to admin interface

SIEM Query:

source="grav_logs" AND (uri_path="/admin/accounts/groups/" AND (param="data[readableName]" CONTAINS "<script>" OR param="data[readableName]" CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-66312

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: December 1, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988 Exploit,Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66312, you might also want to check these: