Skip to main content

OpenAI Chat Block CVE-2025-60511

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-10-21 cve@mitre.org
4.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible IDOR requiring only low-privilege authentication; A:L added over NVD rating because API quota misuse under another user's key constitutes a concrete availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:13 vuln.today

DescriptionCVE.org

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.

AnalysisAI

Insecure Direct Object Reference in the Moodle OpenAI Chat Block plugin 3.0.1 allows any authenticated student to hijack administrator-configured AI block sessions by supplying an arbitrary blockId to the completion API endpoint. An attacker leveraging this flaw can read admin-only 'Source of Truth' prompt configurations, steer AI responses using privileged system instructions, and consume API quota tied to another user's block. A public proof-of-concept writeup and associated GitHub repository exist, though no confirmed active exploitation (CISA KEV) has been recorded; EPSS sits at 0.23% (14th percentile), indicating low but non-zero real-world exploitation interest.

Technical ContextAI

The vulnerability resides in CWE-639 (Authorization Through User-Controlled Key): the application uses a caller-supplied blockId parameter to look up a block object and execute a completion request under that block's configuration, without verifying that the requesting user owns or has permission to use that block. The affected file is /blocks/openai_chat/api/completion.php, a PHP endpoint that serves as the back-end bridge between Moodle's block framework and the OpenAI Chat Completions API. Because Moodle's block system allows administrators to define per-block system prompts and 'Source of Truth' knowledge entries (admin-only content), an IDOR here is particularly impactful: the attacker does not merely read a record but executes live AI queries under a privileged configuration. No CPE strings were provided in the input data; the affected product is third-party and not part of Moodle core.

Affected ProductsAI

The Moodle OpenAI Chat Block plugin version 3.0.1 (build 2025021700) is confirmed affected per the CVE description. This is a third-party plugin installed into Moodle LMS instances; it is not part of Moodle core. No CPE strings were provided in the input data. Moodle core versions and operating systems are not specified as preconditions beyond hosting a compatible Moodle instance with this plugin installed and at least one admin-configured block present. The researcher's PoC repository is available at https://github.com/onurcangnc/moodle_block_openai_chat.

RemediationAI

No vendor-released patch has been identified at time of analysis. Administrators should immediately audit whether the OpenAI Chat Block plugin is in use and assess whether any blocks contain sensitive 'Source of Truth' configurations or privileged system prompts. As a compensating control, web server-level access restrictions on /blocks/openai_chat/api/completion.php can be applied to limit requests to specific authenticated roles or IP ranges - note this may break legitimate student use of the chat feature. Alternatively, disabling the plugin entirely eliminates the attack surface at the cost of removing AI chat functionality. The researcher's writeup at https://onurcangenc.com.tr/posts/idor-in-moodle-openai-chat-block-block_openai_chat-proof-of-concept-poc--cve-2025-60511/ describes the PoC; administrators can use that detail to implement server-side blockId ownership validation in the interim if they have PHP development capability.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-60511 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy