CVE-2018-16854

MEDIUM

moodle <3.0.10, 3.1-3.1.14 - Cross-Site Request Forgery in Login Form

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16854. PoCs published by danielthatcher.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-16854, a CSRF vulnerability in Moodle's login form. The exploit leverages JavaScript injection to steal session cookies and install a malicious plugin, leading to remote code execution.

Description

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

Exploits (1)

nomisec WORKING POC 7 stars

by danielthatcher · poc

https://github.com/danielthatcher/moodle-login-csrf

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2018-16854, a CSRF vulnerability in Moodle's login form. The exploit leverages JavaScript injection to steal session cookies and install a malicious plugin, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Auth Bypass, Xss, Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle versions before 3.6, 3.5.3, 3.4.6, 3.3.9, and 3.1.15

No auth needed

Prerequisites: Victim must visit a malicious page with the exploit JavaScript · Attacker must have a server to host the malicious plugin and receive stolen cookies

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →