A critical RCE vulnerability in Grav CMS allows an authenticated administrator to execute arbitrary code by bypassing file inspection during plugin installation.

This is an RCE vulnerability involving the "Direct Install" tool. The tool fails to inspect the contents of uploaded ZIP files, allowing an attacker with administrative privileges to upload and execute a malicious plugin containing a web shell.

Successful exploitation results in full server-side code execution, granting the attacker control over the underlying web server. With a CVSS score of 9.1, this vulnerability is a high-impact risk for any organization using the affected CMS.

Immediate Action: Upgrade to Grav version 2.0.0-beta.2 or later.

Proactive Monitoring: Monitor the plugins directory for unauthorized files and review server logs for suspicious PHP execution.

Compensating Controls: Restrict administrative access to the "Direct Install" feature and enforce file system permissions to prevent the execution of files in the upload directory.

Public Exploit Available: false

Organizations should prioritize upgrading to the latest version of Grav. Additionally, ensure that administrative accounts are secured with multi-factor authentication to prevent the initial access required to exploit this flaw.