CVE-2025-66311 Overview
CVE-2025-66311 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Grav Admin Plugin, an HTML user interface that provides a convenient way to configure Grav CMS and easily create and modify pages. The vulnerability exists in the /admin/pages/[page] endpoint and allows attackers with administrative privileges to inject malicious scripts into page metadata and taxonomy parameters. These scripts are stored in the page frontmatter and execute automatically whenever the affected page is accessed or rendered in the administrative interface.
The vulnerability specifically affects the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. When exploited, this stored XSS can lead to session hijacking, credential theft, administrative account compromise, and further attacks against other authenticated users accessing the affected pages.
Critical Impact
Stored XSS vulnerability allowing malicious script injection in Grav Admin interface that executes when affected pages are viewed, potentially compromising administrative sessions and enabling privilege escalation across the CMS.
Affected Products
- Grav Admin Plugin versions prior to 1.11.0-beta.1
- getgrav grav-plugin-admin
Discovery Timeline
- December 1, 2025 - CVE-2025-66311 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66311
Vulnerability Analysis
This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) resides in the page editing functionality of the Grav Admin Plugin. The vulnerability has been assigned a CVSS 4.0 score of 6.2 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
The attack vector is Network-based, requiring high privileges (PR:H) and active user interaction (UI:A). While the direct confidentiality and integrity impacts are limited, the subsequent system impacts are rated high, indicating the potential for significant downstream compromise.
The EPSS (Exploit Prediction Scoring System) data indicates an exploitation probability of approximately 0.028% with a percentile ranking of 7.159, suggesting a relatively low likelihood of active exploitation in the wild. However, organizations should not delay remediation as stored XSS vulnerabilities can have cascading effects.
Root Cause
The root cause of CVE-2025-66311 is improper input validation and output encoding in the Grav Admin Plugin's page editing functionality. When users submit data through the page configuration forms, the application fails to properly sanitize user-supplied input in the metadata and taxonomy fields before storing them in the page frontmatter. Subsequently, when these pages are rendered in the administrative interface, the malicious payloads are executed in the browser context of authenticated users without proper output encoding.
The vulnerable parameters include:
- data[header][metadata] - Page metadata fields
- data[header][taxonomy][category] - Taxonomy category assignments
- data[header][taxonomy][tag] - Taxonomy tag assignments
Attack Vector
The attack requires an authenticated user with administrative access to the Grav CMS backend. The attacker would navigate to the page editing interface at /admin/pages/[page] and inject malicious JavaScript code into one of the vulnerable form fields. The malicious payload is then stored within the page's YAML frontmatter.
When any authenticated administrator subsequently views or edits the affected page, the stored script executes within their browser session. This can lead to:
- Session token theft via document.cookie access
- Keylogging of administrative credentials
- CSRF attacks against other admin functionality
- Defacement of the administrative interface
- Lateral movement to compromise other administrative accounts
The exploitation requires the victim to actively view the compromised page in the admin panel, making it a targeted attack vector suitable for spear-phishing scenarios within multi-admin environments.
Detection Methods for CVE-2025-66311
Indicators of Compromise
- Unusual JavaScript code present in page frontmatter YAML files (.md files in the user/pages/ directory)
- Script tags or event handlers embedded in metadata, category, or tag fields
- Unexpected external resource requests originating from the admin interface
- Anomalous session activity or authentication events following page views
- Modified page files with obfuscated or encoded content in header sections
Detection Strategies
Organizations should implement the following detection strategies to identify potential exploitation:
File Integrity Monitoring: Monitor the user/pages/ directory for modifications to page files. Look for unusual patterns in YAML frontmatter such as script tags, javascript: URLs, or HTML event handlers.
Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block XSS payloads in POST requests to /admin/pages/* endpoints, specifically targeting the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters.
Log Analysis: Review web server access logs for suspicious POST requests to page editing endpoints containing encoded script content or common XSS vectors such as <script>, onerror=, onload=, or javascript:.
Browser-Based Detection: Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts, which can serve as an early warning indicator of XSS exploitation.
Monitoring Recommendations
Deploy continuous monitoring for the following activities:
- Administrative page edit operations with anomalous content patterns
- Failed CSP violations from the admin panel
- Unusual outbound network connections from client browsers accessing the admin interface
- Changes to user sessions or authentication tokens following admin panel access
- Modifications to page files outside of expected administrative workflows
How to Mitigate CVE-2025-66311
Immediate Actions Required
- Upgrade Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
- Audit all existing page files for potential malicious content in metadata and taxonomy fields
- Review administrative access logs for suspicious page modification activity
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Restrict administrative access to trusted networks where possible
Patch Information
The vulnerability has been addressed in Grav Admin Plugin version 1.11.0-beta.1. The fix is available via the official commit:
- Patch Commit:99f653296504f1d6408510dd2f6f20a45a26f9b0
- Security Advisory:GHSA-mpjj-4688-3fxg
Organizations should update via the Grav Package Manager (GPM) or by manually applying the patched version from the GitHub repository.
Workarounds
If immediate patching is not feasible, organizations should consider the following temporary mitigations:
Restrict Admin Access: Limit access to the Grav admin panel to trusted IP addresses only using web server configuration or firewall rules.
Implement WAF Rules: Deploy web application firewall rules to sanitize or block requests containing potential XSS payloads in the affected parameters.
Content Security Policy: Implement strict CSP headers to prevent execution of inline scripts:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';
Audit Existing Content: Manually review page frontmatter files for suspicious content:
# Search for potential XSS payloads in Grav page files
grep -r -i -E "(<script|javascript:|onerror=|onload=|onclick=)" user/pages/
Principle of Least Privilege: Minimize the number of users with administrative access and implement strong authentication mechanisms including multi-factor authentication where supported.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
