Cybersecurity Vulnerabilities

CVE-2025-66310: Critical Stored XSS Found in Grav Admin Plugin – Upgrade Now!

December 2, 2025 - By 

Overview

CVE-2025-66310 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the Admin plugin for Grav CMS. This plugin provides a web-based interface for managing Grav installations. The vulnerability allows attackers to inject malicious JavaScript code into the page configuration, leading to potential account compromise and other severe consequences. The vulnerability affects versions prior to 1.11.0-beta.1.

Technical Details

The vulnerability resides in the /admin/pages/[page] endpoint of the Grav application’s Admin plugin. Specifically, the data[header][template] parameter is vulnerable to Stored XSS. An attacker can inject malicious JavaScript code into this parameter, which is then saved as part of the page’s frontmatter. This injected script is executed whenever the affected page is rendered within the administrative interface or viewed on the frontend of the website by regular visitors.

The injected script is persistent, meaning it is stored in the database and executed every time the page is accessed. This makes it a particularly dangerous type of XSS vulnerability.

CVSS Analysis

Due to missing CVSS score information, a proper risk assessment is unavailable. However, stored XSS vulnerabilities are generally considered high-risk due to their persistence and potential for widespread impact. A successful exploit could lead to:

  • Account takeover of administrators or other users.
  • Defacement of the website.
  • Redirection of users to malicious websites.
  • Data theft.

Without the CVSS score we cannot make a definite statement on the severity of the issue, but you should mitigate as soon as possible.

Possible Impact

The impact of this vulnerability can be significant. An attacker could leverage it to:

  • Compromise administrator accounts, granting them full control over the Grav CMS installation.
  • Modify website content, injecting malicious code into pages to steal user credentials or spread malware.
  • Deface the website, damaging its reputation.
  • Redirect users to phishing sites, harvesting sensitive information.

Mitigation and Patch Steps

The recommended mitigation is to update your Grav Admin plugin to version 1.11.0-beta.1 or later. This version contains a fix for the Stored XSS vulnerability.

  1. Log into your Grav Admin panel.
  2. Navigate to the Plugins section.
  3. Locate the Admin plugin.
  4. Click the “Update” button if an update is available. If not available directly, update Grav CMS.
  5. Verify that the Admin plugin version is 1.11.0-beta.1 or higher after the update.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *