N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66308

CVE-2025-66308: Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.

Details

Vulnerable Endpoint: POST /admin/config/site
Parameter: data[taxonomies]

The application does not properly validate or sanitize input in the data[taxonomies] field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.

PoC

Payload:

"><script>alert('XSS-PoC')</script>

Steps to Reproduce:

Log in to the Grav Admin Panel with sufficient permissions to modify site configuration.
Navigate to Configuration > Site.
In the Taxonomies Types field (which maps to data[taxonomies]), insert the payload above:

"><script>alert('XSS-PoC')</script>
Save the configuration.

Go on Pages and click on one of them

The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.

The HTTP request submitted during this process contains the vulnerable parameter and payload:

Impact

Stored XSS attacks can lead to severe consequences, including:

Session hijacking: Stealing cookies or authentication tokens to impersonate users
Credential theft: Harvesting usernames and passwords using malicious scripts
Malware delivery: Distributing unwanted or harmful code to victims
Privilege escalation: Compromising administrative users through persistent scripts
Data manipulation or defacement: Changing or disrupting site content
Reputation damage: Eroding trust among site users and administrators

Discoverer

Marcelo Queiroz

by CVE-Hunters

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66308

CVE-2025-66308:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Grav Admin Plugin, specifically related to the handling of taxonomy names. The root cause is the failure to properly sanitize user-provided input before rendering it in the admin interface.

Injection Point: An attacker can inject a malicious script into a taxonomy name via the data[taxonomies] parameter on the POST /admin/config/site endpoint.
Vulnerable Rendering: The primary vulnerability is located in the themes/grav/templates/forms/fields/taxonomy/taxonomy.html.twig template. This template used the user-controlled taxonomy name to create a label, but failed to escape the HTML entities. The patch adds the |e (escape) filter in the Twig template to neutralize any embedded scripts.
Defense-in-Depth: A secondary, broader fix was implemented in the SelectizeField.init JavaScript function (themes/grav/app/forms/fields/selectize.js). This function is responsible for creating dropdowns. The patch ensures that all dropdown options are HTML-escaped by default, which prevents this and similar XSS vulnerabilities across the application where selectize.js is used for user-provided content.

During exploitation, a profiler would show the execution path leading to the rendering of the taxonomy.html.twig template. On the client-side, the SelectizeField.init function would be called to initialize the vulnerable dropdown component. Therefore, both the template and the JavaScript function are identified as key components related to the vulnerability.

Vulnerable functions

taxonomy.html.twig

themes/grav/templates/forms/fields/taxonomy/taxonomy.html.twig

This Twig template is used to render taxonomy fields in the Grav admin panel. The vulnerability lies in the fact that the `name` of a taxonomy, which is user-controllable, was used directly as the field's `label` without proper HTML escaping. An attacker could create a taxonomy with a name containing malicious JavaScript. When this taxonomy field is rendered on a page (such as the site configuration page), the script would be executed in the browser of any administrator viewing it. The patch fixes this by applying the `|e` filter, which escapes the output.

SelectizeField.init

themes/grav/app/forms/fields/selectize.js

This JavaScript function initializes the 'selectize.js' library for dropdown fields in the admin interface. The vulnerability existed because, by default, the library did not escape the HTML content of the options presented in the dropdowns. This allowed for stored XSS if a user-provided value (like a taxonomy name) containing malicious code was rendered as a select option. The patch introduces a `SafeRender` object that provides default rendering functions to escape HTML content, thus preventing the XSS. This change acts as a defense-in-depth mechanism for all selectize-based fields.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66308: Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary

Details

PoC

Steps to Reproduce:

Impact

Discoverer

CVE-2025-66308:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-66308: Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary

Details

PoC

Steps to Reproduce:

Impact

Discoverer

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI