Grav, Stored XSS, CVE-2025-5???? (Moderate)

Listen to this Post

This vulnerability exploits Grav’s page editing interface, which insufficiently sanitizes user input in content fields. An authenticated user, even with minimal permissions, can inject a malicious script payload (e.g., <script>alert(document.cookie)</script>) into an editable field during normal page editing. The Grav CMS stores this unsanitized payload as part of the page’s data. The vulnerability is triggered when another user, such as an administrator, views or edits the compromised page in the admin panel. At that point, the victim’s browser renders the page and executes the injected JavaScript within their session context. This allows the attacker to perform actions as the victim, potentially leading to session hijacking, account takeover, or defacement of the CMS.
Platform: Grav CMS
Version: < 1.7.49.5
Vulnerability : Authenticated Stored XSS
Severity: Moderate
date: 2025-12-15

Prediction: Patch 2025-12-29

What Undercode Say:

Analytics:

grep -r "raw|html.specialchars" themes/ plugins/ system/
curl -X POST -H "Authorization: Bearer <token>" -d "content=<script>payload</script>" $URL/admin/pages
find ./user/pages -name ".md" -exec grep -l "script" {} \;

How Exploit:

1. Attacker authenticates to Grav admin.

2. Edits any page content.

3. Inserts malicious JavaScript payload.

4. Saves the page.

5. Waits for admin to view page.

6. Payload executes in admin session.

Protection from this CVE:

Update to Grav v1.7.49.5+.

Implement strict Content Security Policy (CSP).

Sanitize all user-controlled input/output.

Use HTMLPurifier or equivalent.

Impact:

Session hijacking.

Administrative account compromise.

Malicious action execution.

Site defacement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top