CVE-2025-60506

MEDIUM

Moodle PDF Annotator plugin v1.5 release 9 - XSS

Title source: llm

Description

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or Admin) views the annotated PDF, the payload is executed in their browser, leading to session hijacking, credential theft, or other attacker-controlled actions.

References (3)

Core 3

Core References

Various Sources

https://github.com/onurcangnc/moodle-xss-pdfannotator

View Writeup ZIP pw:eip

Various Sources

https://onurcangenc.com.tr/blog/moodle-xss-pdfannotator

Various Sources

https://onurcangenc.com.tr/posts/cve-2025-60506-stored-cross-site-scripting-xss-in-moodle-pdf-annotator-plugin-v1-5-release-9/

Scores

CVSS v3 5.4

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Oct 21, 2025

Tracked Since Feb 18, 2026