CVE-2025-66308 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Grav Admin Plugin, an HTML user interface that provides a convenient way to configure Grav CMS and easily create and modify pages. This vulnerability exists in versions prior to 1.11.0-beta.1 and allows attackers to inject malicious scripts into the data[taxonomies] parameter through the /admin/config/site endpoint.
The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. With a CVSS score of 6.8 (MEDIUM), this vulnerability poses significant risk to Grav CMS installations using the admin plugin, potentially allowing attackers to steal session cookies, perform actions on behalf of authenticated administrators, or deliver additional malicious payloads.
Critical Impact
Persistent XSS payloads stored in site configuration can execute in the context of any administrator accessing the affected page, potentially leading to session hijacking, credential theft, or administrative account compromise.
Affected Products
- getgrav grav-plugin-admin (versions prior to 1.11.0-beta.1)
Discovery Timeline
- December 1, 2025 - CVE-2025-66308 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66308
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The attack vector is network-based (AV:N) with low attack complexity (AC:L), though it requires high privileges (PR:H) and active user interaction (UI:A) to exploit successfully.
The CVSS 4.0 vector string is: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
The Exploit Prediction Scoring System (EPSS) indicates a probability of 0.028% with a percentile of 7.159, suggesting relatively low likelihood of active exploitation in the wild at this time. However, stored XSS vulnerabilities in administrative interfaces are high-value targets for attackers.
Root Cause
The root cause of this vulnerability is improper input sanitization in the site configuration endpoint. The data[taxonomies] parameter accepts user-supplied input that is stored in the server-side configuration without adequate HTML encoding or sanitization. When this data is later rendered in the administrative interface, the stored malicious script executes in the context of the viewing user's browser session.
The vulnerability exists because the Selectize form fields used in the admin interface did not properly escape HTML content when rendering option and item elements, allowing stored payloads to execute when administrators access the configuration page.
Attack Vector
The attack requires an authenticated user with administrative privileges to inject malicious JavaScript into the taxonomies field via the /admin/config/site endpoint. Once stored, the payload executes automatically when any administrator accesses the site configuration page.
The security patch addresses this by implementing safe render functions that properly escape HTML content:
// Security: Default render functions that escape HTML to prevent XSS
// (GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj, GHSA-mpjj-4688-3fxg)
const SafeRender = {
option: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
},
item: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
}
};
Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
The patch introduces safe rendering functions that use the built-in escape() function to properly encode HTML entities before inserting user-controlled content into the DOM.
Detection Methods for CVE-2025-66308
Indicators of Compromise
- Unusual JavaScript code present in taxonomy configuration values in /user/config/site.yaml
- Suspicious <script> tags or event handlers (onclick, onerror, etc.) in stored configuration data
- Unexpected network requests originating from the admin panel to external domains
- Anomalous admin user session activity or unauthorized configuration changes
Detection Strategies
Organizations should implement the following detection strategies:
Log Monitoring: Review web server access logs for POST requests to /admin/config/site containing suspicious payloads such as <script>, javascript:, or HTML event handlers in the data[taxonomies] parameter.
Configuration File Auditing: Regularly audit the site.yaml configuration file for unexpected JavaScript code or HTML elements that could indicate stored XSS payloads.
Content Security Policy Violations: Implement and monitor Content Security Policy (CSP) headers to detect and block inline script execution, which would trigger violation reports if XSS payloads attempt to execute.
Behavioral Analysis: Monitor for unusual admin panel activity, including unexpected API calls or data exfiltration attempts that could indicate compromised administrator sessions.
Monitoring Recommendations
- Enable verbose logging for the Grav admin plugin and monitor for suspicious POST requests
- Implement file integrity monitoring on configuration files within the /user/config/ directory
- Deploy a Web Application Firewall (WAF) with XSS detection rules targeting the admin endpoints
- Configure browser-side CSP reporting to capture any attempted XSS execution
- SentinelOne Singularity platform can provide real-time behavioral monitoring and threat detection for systems hosting Grav CMS installations
How to Mitigate CVE-2025-66308
Immediate Actions Required
- Upgrade the Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
- Audit existing site configuration for any malicious scripts that may have been injected
- Review admin user accounts for unauthorized access or suspicious activity
- Implement Content Security Policy headers to mitigate the impact of any unpatched XSS vulnerabilities
Patch Information
The vulnerability has been fixed in Grav Admin Plugin version 1.11.0-beta.1. The patch is available in commit 99f653296504f1d6408510dd2f6f20a45a26f9b0.
Vendor Resources:
To update the Grav Admin Plugin:
# Update via Grav Package Manager
bin/gpm update admin
# Or manually update via composer
composer update getgrav/grav-plugin-admin
# Verify the installed version
bin/gpm version admin
Workarounds
If immediate patching is not possible, consider the following temporary mitigations:
Restrict Admin Access: Limit administrative access to trusted IP addresses only using web server configuration or network-level controls.
Implement CSP Headers: Add strict Content Security Policy headers to prevent inline script execution:
# Apache .htaccess configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
# Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';";
Audit and Clean Configuration: Manually inspect the /user/config/site.yaml file for any suspicious content and remove unauthorized entries.
Enable Multi-Factor Authentication: Ensure all administrative accounts have MFA enabled to reduce the risk of compromised credentials being used to inject payloads.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
