OpenAI Chat Block CVE-2025-60511
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible IDOR requiring only low-privilege authentication; A:L added over NVD rating because API quota misuse under another user's key constitutes a concrete availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.
AnalysisAI
Insecure Direct Object Reference in the Moodle OpenAI Chat Block plugin 3.0.1 allows any authenticated student to hijack administrator-configured AI block sessions by supplying an arbitrary blockId to the completion API endpoint. An attacker leveraging this flaw can read admin-only 'Source of Truth' prompt configurations, steer AI responses using privileged system instructions, and consume API quota tied to another user's block. A public proof-of-concept writeup and associated GitHub repository exist, though no confirmed active exploitation (CISA KEV) has been recorded; EPSS sits at 0.23% (14th percentile), indicating low but non-zero real-world exploitation interest.
Technical ContextAI
The vulnerability resides in CWE-639 (Authorization Through User-Controlled Key): the application uses a caller-supplied blockId parameter to look up a block object and execute a completion request under that block's configuration, without verifying that the requesting user owns or has permission to use that block. The affected file is /blocks/openai_chat/api/completion.php, a PHP endpoint that serves as the back-end bridge between Moodle's block framework and the OpenAI Chat Completions API. Because Moodle's block system allows administrators to define per-block system prompts and 'Source of Truth' knowledge entries (admin-only content), an IDOR here is particularly impactful: the attacker does not merely read a record but executes live AI queries under a privileged configuration. No CPE strings were provided in the input data; the affected product is third-party and not part of Moodle core.
Affected ProductsAI
The Moodle OpenAI Chat Block plugin version 3.0.1 (build 2025021700) is confirmed affected per the CVE description. This is a third-party plugin installed into Moodle LMS instances; it is not part of Moodle core. No CPE strings were provided in the input data. Moodle core versions and operating systems are not specified as preconditions beyond hosting a compatible Moodle instance with this plugin installed and at least one admin-configured block present. The researcher's PoC repository is available at https://github.com/onurcangnc/moodle_block_openai_chat.
RemediationAI
No vendor-released patch has been identified at time of analysis. Administrators should immediately audit whether the OpenAI Chat Block plugin is in use and assess whether any blocks contain sensitive 'Source of Truth' configurations or privileged system prompts. As a compensating control, web server-level access restrictions on /blocks/openai_chat/api/completion.php can be applied to limit requests to specific authenticated roles or IP ranges - note this may break legitimate student use of the chat feature. Alternatively, disabling the plugin entirely eliminates the attack surface at the cost of removing AI chat functionality. The researcher's writeup at https://onurcangenc.com.tr/posts/idor-in-moodle-openai-chat-block-block_openai_chat-proof-of-concept-poc--cve-2025-60511/ describes the PoC; administrators can use that detail to implement server-side blockId ownership validation in the interim if they have PHP development capability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today