Cybersecurity Vulnerabilities

CVE-2025-66308: Critical Stored XSS Found in Grav Admin Plugin – Upgrade Now!

December 2, 2025 - By 

Overview

CVE-2025-66308 identifies a stored Cross-Site Scripting (XSS) vulnerability present in the Admin Plugin for Grav, a popular flat-file CMS. This vulnerability allows attackers to inject malicious JavaScript code into the application’s configuration, which is then executed in the browsers of administrators who access the site’s configuration settings. This poses a significant security risk and requires immediate attention.

Technical Details

The vulnerability resides in the /admin/config/site endpoint of the Grav application when using a vulnerable version of the Admin plugin. Specifically, the data[taxonomies] parameter is susceptible to malicious input. An attacker can inject arbitrary HTML and JavaScript code into this parameter. Because the input is stored server-side, the injected script is executed whenever an administrator accesses the affected site configuration page within the Grav admin panel. This persistence is what makes it a stored XSS vulnerability.

Versions of the Grav Admin Plugin prior to 1.11.0-beta.1 are affected. The vulnerability was introduced prior to this version and resolved in the 1.11.0-beta.1 release.

CVSS Analysis

Due to the absence of CVSS data at the time of writing, a formal CVSS score is not available. However, given that this is a stored XSS vulnerability affecting administrative interfaces, the severity is likely to be high. Successful exploitation could lead to complete compromise of the Grav website, including data theft, modification, and administrator account takeover.

Possible Impact

The potential impact of CVE-2025-66308 is significant:

  • Administrator Account Takeover: An attacker can steal administrator session cookies or inject code to create new administrator accounts.
  • Website Defacement: The attacker can modify the website’s content, redirect users to malicious websites, or display misleading information.
  • Data Theft: Sensitive data stored within the Grav CMS could be accessed and exfiltrated by the attacker.
  • Malware Distribution: The attacker could inject malicious scripts to distribute malware to website visitors.

Mitigation and Patch Steps

The primary mitigation step is to upgrade the Grav Admin Plugin to version 1.11.0-beta.1 or later. This version contains the fix for the identified XSS vulnerability. You can upgrade the plugin through the Grav Admin panel or manually by downloading the latest version from the Grav website.

Steps to upgrade:

  1. Log in to your Grav Admin Panel.
  2. Navigate to the “Plugins” section.
  3. Locate the “Admin” plugin.
  4. Click the “Update” button if an update is available.
  5. Verify the Admin plugin version is 1.11.0-beta.1 or higher.

References

GitHub Commit: Fix for Stored XSS in Admin Plugin
GitHub Security Advisory: GHSA-gqxx-248x-g29f

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *