CVE-2013-4341

Moodle < 2.2.11, 2.3.x < 2.3.9, 2.4.x < 2.4.6, 2.5.x < 2.5.2 - Cross-Site Scripting via RSS Feed Blog Link

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-4341. PoCs published by Ciaran McNally, including Metasploit module exploits/multi/http/moodle_spelling_binary_rce.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Moodle versions <= 2.3.8 and 2.4.5. The vulnerability allows an attacker to inject malicious JavaScript via the RSS feed link parameter, which executes when a user clicks the 'Link to original blog entry' link.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed.

Exploits (2)

exploitdb WORKING POC

by Ciaran McNally · textwebappsphp

https://www.exploit-db.com/exploits/28174

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Moodle versions <= 2.3.8 and 2.4.5. The vulnerability allows an attacker to inject malicious JavaScript via the RSS feed link parameter, which executes when a user clicks the 'Link to original blog entry' link.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Moodle <= 2.3.8, 2.4.5

Auth required

Prerequisites: Valid student account in Moodle · Ability to trick a user into clicking a malicious link

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/moodle_spelling_binary_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in Moodle by manipulating the spellchecker path to execute arbitrary commands. It also leverages a secondary XSS vulnerability to escalate privileges if needed.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle versions up to 2.5.2

Auth required

Prerequisites: Authenticated user credentials · Access to Moodle admin settings or stolen sesskey

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623

Vendor Advisory x_refsource_confirm

https://moodle.org/mod/forum/discuss.php?d=238399

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.html

Scores

EPSS 0.2186

EPSS Percentile 97.3%

Details

CWE

CWE-79

Status published

Products (18)

moodle/moodle 2.3.0

moodle/moodle 2.3.1

moodle/moodle 2.3.2

moodle/moodle 2.3.3

moodle/moodle 2.3.4

moodle/moodle 2.3.5

moodle/moodle 2.3.6

moodle/moodle 2.3.7

moodle/moodle 2.3.8

moodle/moodle 2.4.0

... and 8 more

Published Sep 16, 2013

Tracked Since Feb 18, 2026