AI Threat Alert

CVE-2025-60511: Moodle: IDOR enables unauthorized data access

MEDIUM PoC AVAILABLE
Published October 21, 2025
CISO Take

An authenticated student in Moodle can hijack the admin's OpenAI Chat Block by manipulating a single URL parameter, exposing admin-configured system prompts ('Source of Truth' entries) and burning API budget under the admin's key. If your org uses Moodle with the openai_chat block plugin, update to a patched version immediately and audit API usage logs for anomalous query volumes from student accounts. The blast radius is limited to Moodle deployments with this plugin, but the exploit requires zero AI/ML knowledge — any student can do it.

What is the risk?

Contextual risk exceeds the CVSS 4.3 rating for AI-integrated deployments. The vulnerability is trivially exploitable by any authenticated user with no special skills — change a blockId integer and send a request. The primary AI-specific risks are: (1) exposure of admin-curated knowledge bases and system prompts that may contain proprietary or sensitive institutional data, (2) API key abuse enabling cost harvesting at scale in large institutions with thousands of students, and (3) potential for prompt manipulation if admin block configs allow it. Not in CISA KEV, no known active exploitation, but the low barrier makes rapid weaponization likely once PoC is public.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 14% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

What should I do?

6 steps

  1. Patch immediately

    Check for updated versions of the moodle-block-openai_chat plugin beyond v3.0.1 (2025021700); apply as available. If no patch exists, disable the plugin until fixed.

  2. Workaround

    Add server-side validation to /blocks/openai_chat/api/completion.php verifying that the requesting user owns or has legitimate access to the requested blockId before processing.

  3. Rotate API keys

    Assume any OpenAI API keys configured in admin blocks may have been accessed by unauthorized users; rotate all keys in affected Moodle instances.

  4. Audit API usage

    Review OpenAI API dashboard for anomalous usage spikes, unexpected query volumes, or off-hours access patterns from the Moodle integration.

  5. Detection

    Monitor Moodle access logs for requests to /blocks/openai_chat/api/completion.php with blockId values not associated with the requesting user's enrolled courses or roles.

  6. Scope assessment

    Inventory all Moodle instances running this plugin across your organization; include subdomains and department-managed LMS installations.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage Data Extraction Plugin API AML.T0034 AML.T0040 AML.T0049 AML.T0056 AML.T0057

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk Management System
ISO 42001
A.6.1 - AI System Access Control A.9.1 - AI Data and Resource Protection
NIST AI RMF
GOVERN-1.6 - Policies and procedures for AI risk MANAGE-2.2 - Risk treatment for AI-related risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-60511?

An authenticated student in Moodle can hijack the admin's OpenAI Chat Block by manipulating a single URL parameter, exposing admin-configured system prompts ('Source of Truth' entries) and burning API budget under the admin's key. If your org uses Moodle with the openai_chat block plugin, update to a patched version immediately and audit API usage logs for anomalous query volumes from student accounts. The blast radius is limited to Moodle deployments with this plugin, but the exploit requires zero AI/ML knowledge — any student can do it.

Is CVE-2025-60511 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-60511, increasing the risk of exploitation.

How to fix CVE-2025-60511?

1. **Patch immediately**: Check for updated versions of the moodle-block-openai_chat plugin beyond v3.0.1 (2025021700); apply as available. If no patch exists, disable the plugin until fixed. 2. **Workaround**: Add server-side validation to /blocks/openai_chat/api/completion.php verifying that the requesting user owns or has legitimate access to the requested blockId before processing. 3. **Rotate API keys**: Assume any OpenAI API keys configured in admin blocks may have been accessed by unauthorized users; rotate all keys in affected Moodle instances. 4. **Audit API usage**: Review OpenAI API dashboard for anomalous usage spikes, unexpected query volumes, or off-hours access patterns from the Moodle integration. 5. **Detection**: Monitor Moodle access logs for requests to /blocks/openai_chat/api/completion.php with blockId values not associated with the requesting user's enrolled courses or roles. 6. **Scope assessment**: Inventory all Moodle instances running this plugin across your organization; include subdomains and department-managed LMS installations.

What systems are affected by CVE-2025-60511?

This vulnerability affects the following AI/ML architecture patterns: Plugin-based LLM integrations, LMS AI chatbot deployments, Shared API key management for AI services, RAG-adjacent knowledge base configurations, Multi-tenant educational AI platforms.

What is the CVSS score for CVE-2025-60511?

CVE-2025-60511 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

Plugin-based LLM integrationsLMS AI chatbot deploymentsShared API key management for AI servicesRAG-adjacent knowledge base configurationsMulti-tenant educational AI platforms

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0056 Extract LLM System Prompt
AML.T0057 LLM Data Leakage

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.1, A.9.1
NIST AI RMF: GOVERN-1.6, MANAGE-2.2
OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.

Exploitation Scenario

A student enrolled in a Moodle course discovers the OpenAI Chat Block on their course page. Using browser DevTools or a proxy tool (Burp Suite), they capture the POST request to /blocks/openai_chat/api/completion.php and observe the blockId parameter set to their own block ID (e.g., 42). The student iterates blockId values (43, 44, 1, 2...) targeting the administrator's block, which contains a curated 'Source of Truth' knowledge base with internal policy documents, HR procedures, or proprietary academic research indexed for AI-assisted queries. By sending queries against the admin's blockId, the student extracts confidential knowledge base content through the LLM's responses. Additionally, the student sends computationally expensive queries in bulk — processing large documents, requesting lengthy analyses — all billed against the admin's OpenAI API key, potentially generating hundreds of dollars in unexpected charges. If the admin block's system prompt contains security-relevant configurations or access patterns, these are also silently exposed.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
October 21, 2025
Last Modified
April 15, 2026
First Seen
October 21, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed