CVE-2018-1133

HIGH

Moodle 3.1.0-3.1.11, 3.1-3.1.12 - Remote Code Execution via Calculated Question Eval Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-1133. PoCs published by Darryn Ten, darrynten, That-Guy-Steve.

AI-analyzed exploit summary This exploit targets CVE-2018-1133 in Moodle v3.4.1, allowing authenticated users with teacher privileges to execute arbitrary code via a reverse shell payload. It automates the process of logging in, enabling course editing, adding a quiz, and injecting malicious code through a calculated question.

Description

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

Exploits (4)

exploitdb WORKING POC
by Darryn Ten · phpwebappsphp
https://www.exploit-db.com/exploits/46551

This exploit targets CVE-2018-1133 in Moodle v3.4.1, allowing authenticated users with teacher privileges to execute arbitrary code via a reverse shell payload. It automates the process of logging in, enabling course editing, adding a quiz, and injecting malicious code through a calculated question.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle v3.4.1 (possibly < 3.5.0)
Auth required
Prerequisites: Valid teacher account credentials · Course ID belonging to the teacher · Network access to the Moodle instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by darrynten · poc
https://github.com/darrynten/MoodleExploit

This is a functional exploit for CVE-2018-1133, targeting Moodle v3.4.1. It leverages a calculated question feature to achieve remote code execution by injecting a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle v3.4.1 (possibly < 3.5.0)
Auth required
Prerequisites: Valid teacher credentials · Course ID belonging to the teacher · Network access to the Moodle instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by That-Guy-Steve · poc
https://github.com/That-Guy-Steve/CVE-2018-1133-Exploit

This is a Python exploit for CVE-2018-1133, targeting Moodle's 'Evil Teacher' vulnerability. It leverages authenticated command injection via crafted quiz questions to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle (versions affected by CVE-2018-1133)
Auth required
Prerequisites: Valid Moodle credentials · Teacher or higher privileges · Access to a course with quiz creation permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Feidao-fei · poc
https://github.com/Feidao-fei/MOODLE-3.X-Remote-Code-Execution

This is a functional exploit for CVE-2018-1133, targeting Moodle 3.X with authenticated RCE via eval injection. The script automates authentication, session handling, and payload delivery to achieve a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Moodle 3.X
Auth required
Prerequisites: Valid teacher credentials · Network access to target Moodle instance · Listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=371199
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46551/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104307

Scores

CVSS v3 8.8
EPSS 0.4078
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (2)
moodle/moodle 3.1 - 3.1.12Packagist
moodle/moodle 3.1.0 - 3.1.11
Published May 25, 2018
Tracked Since Feb 18, 2026