Moodle
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Moodle.
By the Year
In 2025 there have been 17 vulnerabilities in Moodle. Last year, in 2024 Moodle had 49 security vulnerabilities published. Right now, Moodle is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 17 | 0.00 |
2024 | 49 | 6.01 |
2023 | 45 | 6.34 |
2022 | 46 | 6.40 |
2021 | 21 | 5.94 |
2020 | 20 | 6.58 |
2019 | 17 | 5.98 |
2018 | 17 | 6.58 |
It may take a day or so for new Moodle vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Moodle Security Vulnerabilities
A security vulnerability was discovered in Moodle
CVE-2025-3625
- April 25, 2025
A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user dataincluding names, contact information, and hashed passwords
CVE-2025-32044
- April 25, 2025
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user dataincluding names, contact information, and hashed passwordsvia stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports
CVE-2025-32045
- April 25, 2025
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.
A security vulnerability was discovered in Moodle
CVE-2025-3627
- April 25, 2025
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized
CVE-2025-3628
- April 25, 2025
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.
A security vulnerability was discovered in Moodle
CVE-2025-3635
- April 25, 2025
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
A flaw was found in Moodle
CVE-2025-3636
- April 25, 2025
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
A security vulnerability was found in Moodle where confidential information
CVE-2025-3637
- April 25, 2025
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
A flaw was found in Moodle
CVE-2025-3640
- April 25, 2025
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.
A flaw was found in Moodle
CVE-2025-3641
- April 25, 2025
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.
A flaw was found in Moodle
CVE-2025-3642
- April 25, 2025
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.
A flaw was found in Moodle
CVE-2025-3643
- April 25, 2025
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
A flaw was found in Moodle
CVE-2025-3644
- April 25, 2025
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
A flaw was found in Moodle
CVE-2025-3645
- April 25, 2025
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
A flaw was discovered in Moodle
CVE-2025-3647
- April 25, 2025
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
A flaw was found in Moodle
CVE-2025-3638
- April 25, 2025
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.
A security vulnerability was discovered in Moodle
CVE-2025-3634
- April 25, 2025
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
A flaw was found in Moodle
CVE-2024-45689
- November 20, 2024
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
AuthZ
A flaw was found in Moodle
CVE-2024-45690
- November 20, 2024
A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.
A flaw was found in Moodle
CVE-2024-45691
- November 20, 2024
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.
A vulnerability was found in Moodle
CVE-2024-48899
- November 20, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.
Insecure Direct Object Reference / IDOR
Moodle Messaging Component Information Disclosure Vulnerability
CVE-2024-48896
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
Generation of Error Message Containing Sensitive Information
Moodle RSS Feed Access Control Vulnerability
CVE-2024-48897
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
AuthZ
Moodle: Privilege Escalation in Audience Deletion
CVE-2024-48898
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
AuthZ
Moodle Report Schedule Access Control Vulnerability
CVE-2024-48901
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
AuthZ
A vulnerability was found in Moodle
CVE-2024-48900
- November 13, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.
Information Disclosure
Moodle H5P Reflected Cross-Site Scripting (XSS) Vulnerability
CVE-2024-43439
6.1 - Medium
- November 11, 2024
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.
Moodle Backup XSS Vulnerability
CVE-2024-43437
6.1 - Medium
- November 11, 2024
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.
Moodle Glossary Restore Capability Bypass Vulnerability
CVE-2024-43435
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.
Moodle Matrix Integration: Improper Access Control for Suspended Users
CVE-2024-43433
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
Moodle cURL Wrapper HTTP Authorization Header Leak Vulnerability
CVE-2024-43432
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
Moodle Quiz External API Insufficient Access Control Vulnerability
CVE-2024-43430
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
Moodle Gradebook Information Disclosure Vulnerability in User Profile Fields
CVE-2024-43429
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
Moodle Site Administration Presets Export Information Disclosure Vulnerability
CVE-2024-43427
3.7 - Low
- November 11, 2024
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
Moodle RCE via Calculated Question Types
CVE-2024-43425
8.1 - High
- November 07, 2024
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
Moodle 4.3 Cache Poisoning via Local Storage
CVE-2024-43428
7.1 - High
- November 07, 2024
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
Moodle Badge Deletion Privilege Escalation
CVE-2024-43431
7.5 - High
- November 07, 2024
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
Moodle Feedback Module CSRF Token Bypass
CVE-2024-43434
8.1 - High
- November 07, 2024
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
Moodle Local File Inclusion in Block Backup
CVE-2024-43440
7.5 - High
- November 07, 2024
A flaw was found in moodle. A local file may include risks when restoring block backups.
SQL Injection in Moodle XMLDB Editor
CVE-2024-43436
- November 07, 2024
A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.
Cross Site Scripting vulnerability in Moodle CMS v3.10
CVE-2024-37674
- June 20, 2024
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
The cURL wrapper in Moodle retained the original request headers when following redirects
CVE-2024-38275
- June 18, 2024
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
Insufficient Cleanup
Incorrect CSRF token checks resulted in multiple CSRF risks.
CVE-2024-38276
8.8 - High
- June 18, 2024
Incorrect CSRF token checks resulted in multiple CSRF risks.
Session Riding
In a shared hosting environment
CVE-2024-34003
- May 31, 2024
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
In a shared hosting environment
CVE-2024-34005
- May 31, 2024
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
In a shared hosting environment
CVE-2024-34002
- May 31, 2024
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page
CVE-2024-34009
- May 31, 2024
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out
CVE-2024-34007
- May 31, 2024
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.
Session Riding
In a shared hosting environment
CVE-2024-34004
- May 31, 2024
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
CVE-2024-34008
8.8 - High
- May 31, 2024
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
Session Riding