CVE-2025-66312 Overview
CVE-2025-66312 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Grav Admin Plugin, which provides an HTML user interface for configuring Grav CMS and managing pages. The vulnerability exists in the /admin/accounts/groups/Grupo endpoint, allowing attackers to inject malicious scripts into the data[readableName] parameter. Once injected, these scripts are stored on the server and automatically executed whenever the affected page is accessed by users, creating a persistent attack vector that poses significant security risks to administrators and users of affected Grav installations.
Critical Impact
Attackers with high privileges can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, administrative account compromise, and further attacks against the CMS infrastructure.
Affected Products
- Grav Admin Plugin versions prior to 1.11.0-beta.1
- getgrav grav-plugin-admin
Discovery Timeline
- December 1, 2025 - CVE-2025-66312 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66312
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Grav Admin Plugin prior to version 1.11.0-beta.1 fails to properly sanitize user-supplied input in the data[readableName] parameter when creating or modifying account groups. The stored nature of this XSS vulnerability makes it particularly dangerous, as the malicious payload persists in the application's database and executes automatically for any user who accesses the affected page.
The vulnerability has been assigned a CVSS 4.0 score of 6.2 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. While the attack requires high privileges (PR:H) and active user interaction (UI:A), the subsequent system impact is high for confidentiality, integrity, and availability of downstream components.
The EPSS (Exploit Prediction Scoring System) indicates a probability of 0.028% with a percentile rank of 7.159 as of December 16, 2025, suggesting relatively low likelihood of active exploitation in the wild.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and output encoding in the Grav Admin Plugin's group management functionality. When user input is accepted for the readableName field, it is not properly sanitized before being stored in the database or rendered back to users in the HTML context. This allows HTML and JavaScript content to be embedded within what should be a plain text field.
The security patch implemented safe rendering functions that properly escape HTML content to prevent XSS attacks across multiple components of the admin interface.
Attack Vector
The attack vector is network-based (AV:N), requiring an authenticated attacker with administrative privileges to exploit the vulnerability. The attack flow involves:
- An attacker with high-level privileges accesses the /admin/accounts/groups/Grupo endpoint
- The attacker injects malicious JavaScript code into the data[readableName] parameter
- The malicious payload is stored in the application database without proper sanitization
- When other administrators or users access the affected groups page, the stored script executes in their browser context
- The executed script can steal session tokens, perform actions on behalf of the victim, or exfiltrate sensitive data
The security fix introduces safe rendering functions that properly escape user input:
// Security: Default render functions that escape HTML to prevent XSS
// (GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj, GHSA-mpjj-4688-3fxg)
const SafeRender = {
option: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
},
item: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
}
};
export default class SelectizeField {
constructor(options = {}) {
this.options = Object.assign({}, options);
Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
The patch also addresses related security concerns including user enumeration through error messages:
$interval = $config->get('plugins.login.max_pw_resets_interval', 2);
- $this->setMessage($this->translate('PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $to, $interval), 'error');
+ // Security: Use generic message to prevent email enumeration (GHSA-q3qx-cp62-f6m7)
+ $this->setMessage($this->translate('PLUGIN_ADMIN.FORGOT_CANNOT_RESET_RATE_LIMITED', $interval), 'error');
return $this->createRedirectResponse($current);
}
Source: https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
Detection Methods for CVE-2025-66312
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in group readable names within the Grav admin database
- Unexpected script execution or redirect behavior when accessing the /admin/accounts/groups/ endpoints
- Network requests to external domains originating from the Grav admin panel that were not initiated by legitimate administrator actions
- Session token exfiltration attempts visible in web server access logs
Detection Strategies
Organizations can implement several detection strategies to identify exploitation attempts:
Log Analysis: Monitor web server access logs for suspicious POST requests to /admin/accounts/groups/ endpoints containing script tags, event handlers (e.g., onerror, onload), or encoded JavaScript payloads in the data[readableName] parameter.
Database Auditing: Periodically audit the Grav database for stored content containing potentially malicious patterns such as <script>, javascript:, or HTML event attributes in fields that should contain plain text.
Web Application Firewall (WAF): Configure WAF rules to detect and block requests containing XSS payloads targeting the Grav admin interface endpoints.
Content Security Policy Monitoring: Implement CSP headers with report-uri to receive notifications when inline scripts attempt to execute, which could indicate XSS exploitation.
Monitoring Recommendations
Deploy runtime application self-protection (RASP) solutions to detect and block XSS attacks at the application layer. Implement strict Content Security Policy (CSP) headers that prevent inline script execution and restrict script sources to trusted domains. Enable comprehensive audit logging for all administrative actions within the Grav CMS, particularly those involving user and group management. Utilize SentinelOne's Singularity platform to monitor endpoint behavior for suspicious browser activities and potential credential theft attempts following successful XSS exploitation.
How to Mitigate CVE-2025-66312
Immediate Actions Required
- Upgrade the Grav Admin Plugin to version 1.11.0-beta.1 or later immediately
- Review existing group configurations for any suspicious content in the readableName field and sanitize if necessary
- Implement Content Security Policy (CSP) headers to mitigate the impact of any unpatched or zero-day XSS vulnerabilities
- Restrict administrative access to trusted IP addresses and ensure multi-factor authentication is enabled for all admin accounts
Patch Information
The vulnerability has been addressed in Grav Admin Plugin version 1.11.0-beta.1. The security patch is available through the official Grav repository at commit 99f653296504f1d6408510dd2f6f20a45a26f9b0. Organizations should update their Grav installations using the built-in update mechanism or by manually applying the patched version. The official security advisory is available at: https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988
Workarounds
If immediate patching is not possible, organizations can implement temporary mitigations:
# Configure nginx to add Content Security Policy headers for Grav admin
location /admin {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Restrict admin access to trusted IP ranges
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
}
Additionally, implement input validation at the web application firewall level to block requests containing HTML or JavaScript in the data[readableName] parameter. Consider temporarily restricting access to the group management functionality until the patch can be applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
