AI Threat Alert
CVE-2025-60511
MEDIUMAn authenticated student in Moodle can hijack the admin's OpenAI Chat Block by manipulating a single URL parameter, exposing admin-configured system prompts ('Source of Truth' entries) and burning API budget under the admin's key. If your org uses Moodle with the openai_chat block plugin, update to a patched version immediately and audit API usage logs for anomalous query volumes from student accounts. The blast radius is limited to Moodle deployments with this plugin, but the exploit requires zero AI/ML knowledge — any student can do it.
Severity & Risk
Recommended Action
- 1. **Patch immediately**: Check for updated versions of the moodle-block-openai_chat plugin beyond v3.0.1 (2025021700); apply as available. If no patch exists, disable the plugin until fixed. 2. **Workaround**: Add server-side validation to /blocks/openai_chat/api/completion.php verifying that the requesting user owns or has legitimate access to the requested blockId before processing. 3. **Rotate API keys**: Assume any OpenAI API keys configured in admin blocks may have been accessed by unauthorized users; rotate all keys in affected Moodle instances. 4. **Audit API usage**: Review OpenAI API dashboard for anomalous usage spikes, unexpected query volumes, or off-hours access patterns from the Moodle integration. 5. **Detection**: Monitor Moodle access logs for requests to /blocks/openai_chat/api/completion.php with blockId values not associated with the requesting user's enrolled courses or roles. 6. **Scope assessment**: Inventory all Moodle instances running this plugin across your organization; include subdomains and department-managed LMS installations.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.
Exploitation Scenario
A student enrolled in a Moodle course discovers the OpenAI Chat Block on their course page. Using browser DevTools or a proxy tool (Burp Suite), they capture the POST request to /blocks/openai_chat/api/completion.php and observe the blockId parameter set to their own block ID (e.g., 42). The student iterates blockId values (43, 44, 1, 2...) targeting the administrator's block, which contains a curated 'Source of Truth' knowledge base with internal policy documents, HR procedures, or proprietary academic research indexed for AI-assisted queries. By sending queries against the admin's blockId, the student extracts confidential knowledge base content through the LLM's responses. Additionally, the student sends computationally expensive queries in bulk — processing large documents, requesting lengthy analyses — all billed against the admin's OpenAI API key, potentially generating hundreds of dollars in unexpected charges. If the admin block's system prompt contains security-relevant configurations or access patterns, these are also silently exposed.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N