Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66311

CVE-2025-66311: Grav Admin Plugin Stored XSS Vulnerability

CVE-2025-66311 is a stored cross-site scripting flaw in Grav Admin Plugin that allows attackers to inject malicious scripts into page metadata. This article covers technical details, affected versions, and mitigation steps.

Updated:

CVE-2025-66311 Overview

CVE-2025-66311 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Grav Admin Plugin, an HTML user interface that provides a convenient way to configure Grav CMS and easily create and modify pages. The vulnerability exists in the /admin/pages/[page] endpoint and allows attackers with administrative privileges to inject malicious scripts into page metadata and taxonomy parameters. These scripts are stored in the page frontmatter and execute automatically whenever the affected page is accessed or rendered in the administrative interface.

The vulnerability specifically affects the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. When exploited, this stored XSS can lead to session hijacking, credential theft, administrative account compromise, and further attacks against other authenticated users accessing the affected pages.

Critical Impact

Stored XSS vulnerability allowing malicious script injection in Grav Admin interface that executes when affected pages are viewed, potentially compromising administrative sessions and enabling privilege escalation across the CMS.

Affected Products

  • Grav Admin Plugin versions prior to 1.11.0-beta.1
  • getgrav grav-plugin-admin

Discovery Timeline

  • December 1, 2025 - CVE-2025-66311 published to NVD
  • December 3, 2025 - Last updated in NVD database

Technical Details for CVE-2025-66311

Vulnerability Analysis

This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) resides in the page editing functionality of the Grav Admin Plugin. The vulnerability has been assigned a CVSS 4.0 score of 6.2 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

The attack vector is Network-based, requiring high privileges (PR:H) and active user interaction (UI:A). While the direct confidentiality and integrity impacts are limited, the subsequent system impacts are rated high, indicating the potential for significant downstream compromise.

The EPSS (Exploit Prediction Scoring System) data indicates an exploitation probability of approximately 0.028% with a percentile ranking of 7.159, suggesting a relatively low likelihood of active exploitation in the wild. However, organizations should not delay remediation as stored XSS vulnerabilities can have cascading effects.

Root Cause

The root cause of CVE-2025-66311 is improper input validation and output encoding in the Grav Admin Plugin's page editing functionality. When users submit data through the page configuration forms, the application fails to properly sanitize user-supplied input in the metadata and taxonomy fields before storing them in the page frontmatter. Subsequently, when these pages are rendered in the administrative interface, the malicious payloads are executed in the browser context of authenticated users without proper output encoding.

The vulnerable parameters include:

  • data[header][metadata] - Page metadata fields
  • data[header][taxonomy][category] - Taxonomy category assignments
  • data[header][taxonomy][tag] - Taxonomy tag assignments

Attack Vector

The attack requires an authenticated user with administrative access to the Grav CMS backend. The attacker would navigate to the page editing interface at /admin/pages/[page] and inject malicious JavaScript code into one of the vulnerable form fields. The malicious payload is then stored within the page's YAML frontmatter.

When any authenticated administrator subsequently views or edits the affected page, the stored script executes within their browser session. This can lead to:

  • Session token theft via document.cookie access
  • Keylogging of administrative credentials
  • CSRF attacks against other admin functionality
  • Defacement of the administrative interface
  • Lateral movement to compromise other administrative accounts

The exploitation requires the victim to actively view the compromised page in the admin panel, making it a targeted attack vector suitable for spear-phishing scenarios within multi-admin environments.

Detection Methods for CVE-2025-66311

Indicators of Compromise

  • Unusual JavaScript code present in page frontmatter YAML files (.md files in the user/pages/ directory)
  • Script tags or event handlers embedded in metadata, category, or tag fields
  • Unexpected external resource requests originating from the admin interface
  • Anomalous session activity or authentication events following page views
  • Modified page files with obfuscated or encoded content in header sections

Detection Strategies

Organizations should implement the following detection strategies to identify potential exploitation:

File Integrity Monitoring: Monitor the user/pages/ directory for modifications to page files. Look for unusual patterns in YAML frontmatter such as script tags, javascript: URLs, or HTML event handlers.

Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block XSS payloads in POST requests to /admin/pages/* endpoints, specifically targeting the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters.

Log Analysis: Review web server access logs for suspicious POST requests to page editing endpoints containing encoded script content or common XSS vectors such as <script>, onerror=, onload=, or javascript:.

Browser-Based Detection: Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts, which can serve as an early warning indicator of XSS exploitation.

Monitoring Recommendations

Deploy continuous monitoring for the following activities:

  • Administrative page edit operations with anomalous content patterns
  • Failed CSP violations from the admin panel
  • Unusual outbound network connections from client browsers accessing the admin interface
  • Changes to user sessions or authentication tokens following admin panel access
  • Modifications to page files outside of expected administrative workflows

How to Mitigate CVE-2025-66311

Immediate Actions Required

  • Upgrade Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
  • Audit all existing page files for potential malicious content in metadata and taxonomy fields
  • Review administrative access logs for suspicious page modification activity
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact
  • Restrict administrative access to trusted networks where possible

Patch Information

The vulnerability has been addressed in Grav Admin Plugin version 1.11.0-beta.1. The fix is available via the official commit:

Organizations should update via the Grav Package Manager (GPM) or by manually applying the patched version from the GitHub repository.

Workarounds

If immediate patching is not feasible, organizations should consider the following temporary mitigations:

Restrict Admin Access: Limit access to the Grav admin panel to trusted IP addresses only using web server configuration or firewall rules.

Implement WAF Rules: Deploy web application firewall rules to sanitize or block requests containing potential XSS payloads in the affected parameters.

Content Security Policy: Implement strict CSP headers to prevent execution of inline scripts:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';

Audit Existing Content: Manually review page frontmatter files for suspicious content:

bash
# Search for potential XSS payloads in Grav page files
grep -r -i -E "(<script|javascript:|onerror=|onload=|onclick=)" user/pages/

Principle of Least Privilege: Minimize the number of users with administrative access and implement strong authentication mechanisms including multi-factor authentication where supported.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.