CVE-2025-66308 Overview
CVE-2025-66308 is a stored cross-site scripting (XSS) vulnerability in the Grav admin plugin, an HTML user interface for configuring Grav content management system installations. The flaw exists in the /admin/config/site endpoint, where the data[taxonomies] parameter accepts unsanitized input. An authenticated attacker with administrative privileges can inject malicious JavaScript that persists on the server. The payload executes in the browser of any user who subsequently loads the site configuration page. This vulnerability affects getgrav/grav-plugin-admin versions prior to 1.11.0-beta.1 and is tracked under [CWE-79].
Critical Impact
Persistent JavaScript execution in administrator browsers, enabling session theft, configuration tampering, and lateral movement within the Grav admin interface.
Affected Products
- Grav CMS admin plugin (getgrav/grav-plugin-admin) versions prior to 1.11.0-beta.1
- Grav installations using the affected admin plugin for site configuration management
- All deployments exposing the /admin/config/site endpoint to privileged users
Discovery Timeline
- 2025-12-01 - CVE-2025-66308 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-66308
Vulnerability Analysis
The vulnerability resides in the site configuration handler of the Grav admin plugin. The /admin/config/site endpoint processes the data[taxonomies] parameter without applying output encoding or input sanitization. When an attacker submits a crafted payload containing HTML or JavaScript, the application stores the value in the site configuration file. The payload is rendered back into the admin interface whenever a user loads the configuration page.
Because the injected script executes within the authenticated admin session, an attacker can perform actions on behalf of the victim. These actions include modifying pages, creating administrative accounts, exfiltrating session cookies, or pivoting to other endpoints exposed by the CMS. The persistence of the payload turns each configuration view into a reliable execution trigger.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The admin plugin trusted the data[taxonomies] field as a structured configuration value and rendered it back to clients without context-aware escaping.
Attack Vector
Exploitation requires network access to the admin interface and high privileges, since the /admin/config/site endpoint is restricted to authenticated administrators. A user interaction is needed to trigger payload execution. The attack is most relevant in multi-administrator deployments, where a lower-trust admin can target higher-privilege accounts, or in scenarios where credentials are partially compromised. No verified proof-of-concept code is publicly available; see the GitHub Security Advisory for technical details.
Detection Methods for CVE-2025-66308
Indicators of Compromise
- Unexpected HTML or <script> tags stored in the taxonomies field of the site configuration YAML file
- POST requests to /admin/config/site containing script payloads in the data[taxonomies] parameter
- Outbound network requests from administrator browsers to unknown domains after loading admin pages
Detection Strategies
- Audit Grav configuration files for non-alphanumeric content in taxonomy entries that does not match expected category names
- Inspect web server access logs for POST submissions to /admin/config/site containing URL-encoded angle brackets or javascript: schemes
- Deploy a Content Security Policy in report-only mode to surface inline script execution on admin pages
Monitoring Recommendations
- Forward web server and admin plugin logs to a centralized analytics platform and alert on anomalous configuration changes
- Track admin account activity, including configuration edits made outside of normal change windows
- Monitor for new outbound connections originating from administrator workstations correlated with admin panel access
How to Mitigate CVE-2025-66308
Immediate Actions Required
- Upgrade the Grav admin plugin to version 1.11.0-beta.1 or later as published in the vendor commit
- Review the taxonomies configuration in user/config/site.yaml and remove any entries containing HTML or scripting content
- Rotate administrator credentials and invalidate active admin sessions following the upgrade
Patch Information
The maintainers fixed the issue in commit 99f653296504f1d6408510dd2f6f20a45a26f9b0, released in grav-plugin-admin version 1.11.0-beta.1. The patch applies proper sanitization to taxonomy input handled by the /admin/config/site endpoint. Refer to the GitHub Security Advisory GHSA-gqxx-248x-g29f for full remediation guidance.
Workarounds
- Restrict access to the /admin interface by IP allowlist or VPN until the patch is applied
- Limit administrative accounts to trusted operators and enforce multi-factor authentication on the admin panel
- Deploy a strict Content Security Policy that disallows inline script execution on admin routes to reduce payload impact
# Update the Grav admin plugin via the bin/gpm utility
cd /path/to/grav
bin/gpm update admin
# Verify installed plugin version is 1.11.0-beta.1 or later
bin/gpm info admin | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

