CVE-2025-60511 — MEDIUM (CVSS 4.3) AI Security Vulnerability

CISO Take

An authenticated student in Moodle can hijack the admin's OpenAI Chat Block by manipulating a single URL parameter, exposing admin-configured system prompts ('Source of Truth' entries) and burning API budget under the admin's key. If your org uses Moodle with the openai_chat block plugin, update to a patched version immediately and audit API usage logs for anomalous query volumes from student accounts. The blast radius is limited to Moodle deployments with this plugin, but the exploit requires zero AI/ML knowledge — any student can do it.

Risk Assessment

Contextual risk exceeds the CVSS 4.3 rating for AI-integrated deployments. The vulnerability is trivially exploitable by any authenticated user with no special skills — change a blockId integer and send a request. The primary AI-specific risks are: (1) exposure of admin-curated knowledge bases and system prompts that may contain proprietary or sensitive institutional data, (2) API key abuse enabling cost harvesting at scale in large institutions with thousands of students, and (3) potential for prompt manipulation if admin block configs allow it. Not in CISA KEV, no known active exploitation, but the low barrier makes rapid weaponization likely once PoC is public.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

Recommended Action

6 steps

Patch immediately

Check for updated versions of the moodle-block-openai_chat plugin beyond v3.0.1 (2025021700); apply as available. If no patch exists, disable the plugin until fixed.
Workaround

Add server-side validation to /blocks/openai_chat/api/completion.php verifying that the requesting user owns or has legitimate access to the requested blockId before processing.
Rotate API keys

Assume any OpenAI API keys configured in admin blocks may have been accessed by unauthorized users; rotate all keys in affected Moodle instances.
Audit API usage

Review OpenAI API dashboard for anomalous usage spikes, unexpected query volumes, or off-hours access patterns from the Moodle integration.
Detection

Monitor Moodle access logs for requests to /blocks/openai_chat/api/completion.php with blockId values not associated with the requesting user's enrolled courses or roles.
Scope assessment

Inventory all Moodle instances running this plugin across your organization; include subdomains and department-managed LMS installations.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage Data Extraction Plugin API AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0056 - Extract LLM System Prompt AML.T0057 - LLM Data Leakage

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk Management System

ISO 42001

A.6.1 - AI System Access Control A.9.1 - AI Data and Resource Protection

NIST AI RMF

GOVERN-1.6 - Policies and procedures for AI risk MANAGE-2.2 - Risk treatment for AI-related risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-60511?

An authenticated student in Moodle can hijack the admin's OpenAI Chat Block by manipulating a single URL parameter, exposing admin-configured system prompts ('Source of Truth' entries) and burning API budget under the admin's key. If your org uses Moodle with the openai_chat block plugin, update to a patched version immediately and audit API usage logs for anomalous query volumes from student accounts. The blast radius is limited to Moodle deployments with this plugin, but the exploit requires zero AI/ML knowledge — any student can do it.

Is CVE-2025-60511 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-60511, increasing the risk of exploitation.

How to fix CVE-2025-60511?

1. **Patch immediately**: Check for updated versions of the moodle-block-openai_chat plugin beyond v3.0.1 (2025021700); apply as available. If no patch exists, disable the plugin until fixed. 2. **Workaround**: Add server-side validation to /blocks/openai_chat/api/completion.php verifying that the requesting user owns or has legitimate access to the requested blockId before processing. 3. **Rotate API keys**: Assume any OpenAI API keys configured in admin blocks may have been accessed by unauthorized users; rotate all keys in affected Moodle instances. 4. **Audit API usage**: Review OpenAI API dashboard for anomalous usage spikes, unexpected query volumes, or off-hours access patterns from the Moodle integration. 5. **Detection**: Monitor Moodle access logs for requests to /blocks/openai_chat/api/completion.php with blockId values not associated with the requesting user's enrolled courses or roles. 6. **Scope assessment**: Inventory all Moodle instances running this plugin across your organization; include subdomains and department-managed LMS installations.

What systems are affected by CVE-2025-60511?

This vulnerability affects the following AI/ML architecture patterns: Plugin-based LLM integrations, LMS AI chatbot deployments, Shared API key management for AI services, RAG-adjacent knowledge base configurations, Multi-tenant educational AI platforms.

What is the CVSS score for CVE-2025-60511?

CVE-2025-60511 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.

Exploitation Scenario

A student enrolled in a Moodle course discovers the OpenAI Chat Block on their course page. Using browser DevTools or a proxy tool (Burp Suite), they capture the POST request to /blocks/openai_chat/api/completion.php and observe the blockId parameter set to their own block ID (e.g., 42). The student iterates blockId values (43, 44, 1, 2...) targeting the administrator's block, which contains a curated 'Source of Truth' knowledge base with internal policy documents, HR procedures, or proprietary academic research indexed for AI-assisted queries. By sending queries against the admin's blockId, the student extracts confidential knowledge base content through the LLM's responses. Additionally, the student sends computationally expensive queries in bulk — processing large documents, requesting lengthy analyses — all billed against the admin's OpenAI API key, potentially generating hundreds of dollars in unexpected charges. If the admin block's system prompt contains security-relevant configurations or access patterns, these are also silently exposed.