Overview
A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66311, has been discovered in the Admin Plugin for Grav, a popular flat-file CMS. This vulnerability affects versions prior to 1.11.0-beta.1. The vulnerability allows attackers to inject malicious scripts into page frontmatter, which are then executed whenever an affected page is accessed through the administrative interface. Users of the Grav Admin plugin are strongly urged to update to version 1.11.0-beta.1 or later to mitigate this risk.
Technical Details
The vulnerability resides in the /admin/pages/[page] endpoint of the Grav Admin Plugin. Specifically, malicious scripts can be injected through the following parameters:
data[header][metadata]data[header][taxonomy][category]data[header][taxonomy][tag]
These parameters are used to update the page’s frontmatter, which stores metadata and configuration information. By injecting JavaScript code into these fields, an attacker can persistently store the script on the server. Whenever an administrator or other authorized user accesses or renders the affected page through the Grav Admin interface, the injected script will execute within their browser context.
CVSS Analysis
Due to the missing CVSS Score and Severity ratings, a precise CVSS analysis cannot be provided. However, Stored XSS vulnerabilities are generally considered to be high-severity risks. The potential for privilege escalation, data theft, and account compromise makes this a significant concern for Grav users. A missing CVSS score should not downplay the need to patch immediately.
Possible Impact
The potential impact of CVE-2025-66311 is significant:
- Account Compromise: An attacker could steal administrator cookies or credentials, gaining full control over the Grav installation.
- Data Theft: Sensitive information stored within the Grav CMS could be accessed and exfiltrated.
- Website Defacement: The injected scripts could be used to modify website content, redirect users to malicious sites, or display misleading information.
- Malware Distribution: The vulnerability could be leveraged to distribute malware to users accessing the affected pages.
Mitigation and Patch Steps
The recommended mitigation is to upgrade the Grav Admin Plugin to version 1.11.0-beta.1 or later. This version includes a fix that properly sanitizes user input and prevents the injection of malicious scripts.
- Upgrade the Plugin: Access the Grav Admin Panel and navigate to the Plugins section. Locate the Admin Plugin and click the “Update” button (if available) to upgrade to version 1.11.0-beta.1 or later.
- Verify the Version: After upgrading, verify that the Admin Plugin is running version 1.11.0-beta.1 or a later version.
- Review Existing Pages: Although less critical after upgrading, consider reviewing existing Grav pages in the admin panel for potentially injected code in the
metadataandtaxonomyfields. Manually remove any suspicious script tags.
References
- GitHub Commit (Fix): github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
- GitHub Security Advisory: github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg
