CVE-2025-66310 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Grav Admin Plugin, an HTML user interface that provides a convenient way to configure Grav CMS and easily create and modify pages. This vulnerability exists in the /admin/pages/[page] endpoint and allows attackers to inject malicious scripts into the data[header][template] parameter. The injected script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view.
This medium severity vulnerability (CVSS 6.2) poses a significant risk as it enables persistent script execution within the context of authenticated administrative sessions, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of administrators.
Critical Impact
Authenticated attackers with high privileges can inject persistent malicious scripts that execute in the context of other users viewing affected pages, potentially compromising administrative sessions and enabling further attacks against the Grav CMS installation.
Affected Products
- getgrav grav-plugin-admin (versions prior to 1.11.0-beta.1)
Discovery Timeline
- December 1, 2025 - CVE-2025-66310 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66310
Vulnerability Analysis
The Stored XSS vulnerability (CWE-79) resides in the page editing functionality of the Grav Admin Plugin. When processing page template selections through the /admin/pages/[page] endpoint, the application fails to properly sanitize user-supplied input in the data[header][template] parameter before storing it in the page's frontmatter configuration.
The vulnerability carries a CVSS 4.0 score of 6.2 (Medium) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
The EPSS score is 0.028% (7.159 percentile), indicating a relatively low probability of exploitation in the wild at this time.
Root Cause
The root cause of this vulnerability is improper input validation and insufficient output encoding in the template parameter handling. When users with administrative privileges modify page templates, the application stores the raw input directly into the page's YAML frontmatter without proper sanitization. Subsequently, when the page is rendered in either the administrative interface or the frontend view, the stored malicious script is executed in the browser context of any user viewing the affected content.
Attack Vector
This vulnerability is exploitable over the network and requires:
- High Privileges: The attacker must have administrative access to the Grav CMS installation
- User Interaction: A victim must view the affected page content for the script to execute
The attack flow involves an authenticated administrator navigating to a page editor, injecting malicious JavaScript code into the template parameter field, saving the page, and then waiting for other users (including other administrators) to view the affected page. The malicious script executes within the victim's browser session, potentially allowing the attacker to steal session tokens, perform actions as the victim, or redirect users to malicious sites.
The vulnerability mechanism involves insufficient sanitization of the data[header][template] parameter before storage in the page frontmatter. When the template value is later rendered in the administrative interface or frontend, the stored payload executes in the context of the viewing user's session. For technical details and proof-of-concept information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-66310
Indicators of Compromise
- Unexpected JavaScript code present in page frontmatter template fields
- Anomalous page template values containing <script> tags or event handlers (e.g., onerror, onclick)
- Suspicious modifications to page configurations in the user/pages/ directory
- Unusual administrative session activity following page views
- Browser console errors or warnings related to Content Security Policy violations
Detection Strategies
Log Analysis:
Monitor Grav CMS access logs for POST requests to /admin/pages/[page] endpoints containing suspicious payloads in the template parameter. Look for URL-encoded JavaScript keywords such as %3Cscript, javascript:, or common XSS vectors.
File Integrity Monitoring:
Implement file integrity monitoring on the user/pages/ directory to detect unauthorized or suspicious modifications to page markdown files. Alert on any frontmatter changes containing HTML tags or JavaScript event handlers.
Content Inspection:
Regularly audit page frontmatter content for unexpected template values that deviate from legitimate template names. Legitimate template values should match existing template files in the theme directory.
Monitoring Recommendations
- Enable detailed access logging for all administrative endpoints
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks
- Deploy Web Application Firewall (WAF) rules to detect and block XSS payloads in POST requests
- Configure real-time alerting for modifications to page frontmatter files
- Monitor browser console outputs in administrative sessions for unexpected script execution errors
How to Mitigate CVE-2025-66310
Immediate Actions Required
- Update Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
- Audit existing page frontmatter files for any suspicious template values containing JavaScript code
- Review administrative access logs for signs of exploitation attempts
- Implement Content Security Policy headers to reduce the impact of potential XSS attacks
- Restrict administrative access to trusted IP addresses where possible
Patch Information
The vulnerability has been fixed in Grav Admin Plugin version 1.11.0-beta.1. The patch is available in commit 99f653296504f1d6408510dd2f6f20a45a26f9b0.
Patch Resources:
To update the Grav Admin Plugin, use the Grav Package Manager (GPM) or manually download and install the patched version from the official repository.
Workarounds
If immediate patching is not possible, consider the following temporary mitigations:
Restrict Administrative Access: Limit administrative panel access to trusted users only and implement additional authentication controls such as IP whitelisting or VPN requirements.
Implement Web Application Firewall Rules: Configure WAF rules to inspect and filter POST requests to /admin/pages/ endpoints, blocking requests containing HTML tags or JavaScript code in the template parameter.
Deploy Content Security Policy: Add strict CSP headers to prevent inline script execution, which can significantly reduce the impact of stored XSS attacks.
# Example Apache .htaccess configuration for CSP headers
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
