Grav Admin Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Grav Admin plugin, prior to version 1.8.0-beta.27. The issue arises from the lack of username uniqueness validation during user creation. This allows a user with permission to create accounts to duplicate the username of an existing administrator, reset the administrator's password or email, and gain access to the administrator account. Consequently, this vulnerability enables a user to escalate privileges from limited user-manager rights to full administrative access.

Impact

Exploitation of this vulnerability allows for complete takeover of an admin account, including the ability to change admin credentials, manage plugins, access and modify site data, and perform any other administrative tasks.

Reproduction

To reproduce this vulnerability, first ensure there are two accounts: one admin and one user with the permission to create new users. Log into the user account and navigate to the user management section. Select the option to add a new user and enter the username of the existing admin account. After completing the registration, the admin's email will be updated to the one provided. Log out of the user account and log back in as the admin using the new credentials.

Remediation

Users can update to Grav version 1.8.0-beta.27 or later to address this vulnerability.