CVE-2025-66309 Overview
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Grav Admin Plugin, an HTML user interface that provides a convenient way to configure Grav CMS and easily create and modify pages. Prior to version 1.11.0-beta.1, attackers can inject malicious scripts into the data[header][content][items] parameter via the /admin/pages/[page] endpoint. This vulnerability allows for script injection attacks that could compromise administrative sessions and enable unauthorized actions within the Grav CMS administration interface.
Critical Impact
Attackers can inject malicious JavaScript code through the admin interface, potentially hijacking admin sessions, stealing credentials, or performing unauthorized administrative actions within the Grav CMS environment.
Affected Products
- Grav Admin Plugin versions prior to 1.11.0-beta.1
- getgrav grav-plugin-admin
Discovery Timeline
- 2025-12-01 - CVE-2025-66309 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-66309
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The Grav Admin Plugin fails to properly sanitize user-supplied input in the data[header][content][items] parameter when processing requests to the /admin/pages/[page] endpoint. This allows attackers to inject arbitrary JavaScript code that executes in the context of an authenticated administrator's browser session.
The vulnerability carries a CVSS v4.0 score of 6.2 (MEDIUM) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H. While the attack requires high privileges (PR:H) and active user interaction (UI:A), the subsequent impact on downstream systems is high for confidentiality, integrity, and availability (SC:H/SI:H/SA:H).
The EPSS (Exploit Prediction Scoring System) probability is approximately 0.028% with a percentile ranking of 7.34, indicating a relatively low likelihood of exploitation in the wild as of 2025-12-16.
Root Cause
The root cause of this vulnerability lies in insufficient output encoding and input sanitization within the Grav Admin Plugin's selectize.js form field component. When rendering user-supplied content in dropdown menus and selection interfaces, the application failed to escape HTML entities, allowing injected scripts to execute within the DOM.
The security patch introduces safe rendering functions that properly escape HTML content before rendering:
// Security: Default render functions that escape HTML to prevent XSS
// (GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj, GHSA-mpjj-4688-3fxg)
const SafeRender = {
option: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
},
item: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
}
};
export default class SelectizeField {
constructor(options = {}) {
this.options = Object.assign({}, options);
Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
Attack Vector
The attack vector is network-based (AV:N), requiring an attacker to craft a malicious URL containing JavaScript payloads within the data[header][content][items] parameter. When an authenticated administrator clicks the crafted link or visits the malicious URL, the injected script executes with the privileges of the admin user.
A typical attack scenario involves:
- Attacker crafts a malicious URL targeting the /admin/pages/[page] endpoint
- The URL contains XSS payload in the data[header][content][items] parameter
- Administrator is tricked into clicking the link (via phishing or social engineering)
- Malicious JavaScript executes in the admin's browser context
- Attacker can steal session tokens, modify page content, or create backdoor accounts
Detection Methods for CVE-2025-66309
Indicators of Compromise
- Unusual HTTP requests to /admin/pages/* endpoints containing encoded JavaScript in parameters
- Suspicious data[header][content][items] parameter values with script tags or event handlers
- Web server logs showing requests with encoded characters like %3Cscript%3E or JavaScript event handlers (onerror, onload, onclick)
- Unexpected administrative actions performed without legitimate admin activity
Detection Strategies
Organizations can implement detection by monitoring web application firewall (WAF) logs for XSS patterns targeting Grav admin endpoints. Specifically, look for:
- URL Pattern Monitoring: Alert on requests to /admin/pages/ containing <script>, javascript:, or HTML event handlers in query parameters
- Parameter Analysis: Inspect the data[header][content][items] parameter for encoded malicious payloads
- Session Anomaly Detection: Monitor for administrative sessions performing actions from unusual IP addresses or at unusual times following link clicks
Monitoring Recommendations
Implement Content Security Policy (CSP) headers to restrict script execution sources. Deploy web application firewall rules to detect and block XSS payloads in URL parameters. Enable detailed logging for all requests to Grav admin endpoints and integrate with SIEM solutions for real-time alerting on suspicious patterns.
How to Mitigate CVE-2025-66309
Immediate Actions Required
- Upgrade Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
- Review web server access logs for evidence of exploitation attempts
- Implement Content Security Policy (CSP) headers to mitigate script injection attacks
- Educate administrators about the risks of clicking untrusted links while logged into the admin panel
Patch Information
The vulnerability is fixed in Grav Admin Plugin version 1.11.0-beta.1. The patch is available in commit 99f653296504f1d6408510dd2f6f20a45a26f9b0 which introduces proper HTML escaping in the selectize.js component's render functions.
The fix also addresses related security issues including user enumeration vulnerabilities in the password reset functionality:
$interval = $config->get('plugins.login.max_pw_resets_interval', 2);
- $this->setMessage($this->translate('PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $to, $interval), 'error');
+ // Security: Use generic message to prevent email enumeration (GHSA-q3qx-cp62-f6m7)
+ $this->setMessage($this->translate('PLUGIN_ADMIN.FORGOT_CANNOT_RESET_RATE_LIMITED', $interval), 'error');
return $this->createRedirectResponse($current);
}
Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
For additional details, refer to the vendor security advisory: https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq
Workarounds
If immediate patching is not possible, implement the following temporary mitigations:
# Add CSP header to restrict script sources (Apache example)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"
# Restrict admin access by IP address
<Location /admin>
Require ip 192.168.1.0/24
</Location>
# Enable mod_security XSS protection rules
SecRule ARGS "@detectXSS" "id:1,phase:2,deny,status:403,log,msg:'XSS Attack Detected'"
Additionally, consider restricting admin panel access to trusted IP addresses only, implementing multi-factor authentication for administrative accounts, and using a reverse proxy with XSS filtering capabilities until the patch can be applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
