CVE-2025-66308

EPSS 0.02%

Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Published: 12/2/2025Modified: 12/2/2025

Also known as:GHSA-gqxx-248x-g29f

Description

## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[taxonomies]` parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. --- ## Details **Vulnerable Endpoint:** `POST /admin/config/site` **Parameter:** `data[taxonomies]` The application does not properly validate or sanitize input in the `data[taxonomies]` field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser. --- ## PoC **Payload:** `"><script>alert('XSS-PoC')</script>` ### Steps to Reproduce: 1. Log in to the _Grav_ Admin Panel with sufficient permissions to modify site configuration. 2. Navigate to **Configuration > Site**. 3. In the **Taxonomies Types** field (which maps to `data[taxonomies]`), insert the payload above: `"><script>alert('XSS-PoC')</script>` 4. Save the configuration. <img width="1897" height="628" alt="Pasted image 20250718195942" src="https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057" /> 5. Go on Pages and click on one of them <img width="932" height="587" alt="Pasted image 20250718200306" src="https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57" /> 6. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability. <img width="1204" height="377" alt="Pasted image 20250718200353" src="https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce" /> 7. The HTTP request submitted during this process contains the vulnerable parameter and payload: <img width="757" height="675" alt="Pasted image 20250718200445" src="https://github.com/user-attachments/assets/fbbe2b76-00eb-4426-8ddd-5cde2cc65d77" /> --- ## Impact Stored XSS attacks can lead to severe consequences, including: - **Session hijacking:** Stealing cookies or authentication tokens to impersonate users - **Credential theft:** Harvesting usernames and passwords using malicious scripts - **Malware delivery:** Distributing unwanted or harmful code to victims - **Privilege escalation:** Compromising administrative users through persistent scripts - **Data manipulation or defacement:** Changing or disrupting site content - **Reputation damage:** Eroding trust among site users and administrators --- ## Discoverer [Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)

Affected packages (1)

Packagist/getgrav/gravfrom 0, < 1.8.0-beta.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Affected packages (1)

CVSS scores

References (4)