CVE-2025-26530
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in Moodle's question bank filter allows attackers to inject malicious scripts into web pages viewed by other users. When exploited, it could enable session hijacking, credential theft, or unauthorized actions on behalf of victims. All Moodle instances with vulnerable versions are affected.
💻 Affected Systems
- Moodle LMS
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, takes over the entire Moodle instance, accesses sensitive student data, and deploys ransomware or malware to all users.
Likely Case
Attacker steals user session cookies to impersonate students or teachers, modifies grades, accesses private course materials, or performs unauthorized actions within courses.
If Mitigated
With proper input validation and output encoding, the attack fails silently with no impact beyond failed exploitation attempts in logs.
🎯 Exploit Status
Requires social engineering to trick users into clicking malicious links; exploitation depends on user interaction with crafted URLs
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing MDL-84146 commit
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=466146
Restart Required: No
Instructions:
1. Update Moodle to the latest version containing the MDL-84146 fix. 2. Apply the specific commit from the Moodle git repository. 3. Clear all caches after patching.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input sanitization for question bank filter parameters
Not applicable - requires code modification
Content Security Policy
webImplement strict CSP headers to mitigate XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Header set X-Content-Type-Options "nosniff"
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in question bank parameters
- Disable or restrict access to question bank filter functionality if not essential
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject script payloads into question bank filter parameters and checking if they executeCheck Version:
Check Moodle version in Site administration > Notifications or via config.phpVerify Fix Applied:
Verify the MDL-84146 commit is present in your Moodle installation and test that XSS payloads no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in question bank filter requests
- Multiple failed XSS attempts in web server logs
- Suspicious script tags or JavaScript in URL parameters
Network Indicators:
- HTTP requests with encoded script tags in question bank parameters
- Unusual redirects from question bank pages
SIEM Query:
web.url:*question*bank* AND (web.param:*script* OR web.param:*javascript* OR web.param:*alert*)