Stored Cross-Site Scripting Vulnerability in Moodle PDF Annotator Plugin by Moodle
CVE-2025-60506

5.4MEDIUM

Key Information:

Vendor: Moodle
Status: Moodle PDF Annotator
Vendor: CVE Published:; 21 October 2025

What is CVE-2025-60506?

The Moodle PDF Annotator Plugin version 1.5 release 9 contains a vulnerability that allows an attacker with a low-privileged account, such as a student, to inject arbitrary JavaScript into the Public Comments feature. This malicious script is executed in the browsers of users, including students, teachers, and admins, when they access the annotated PDF. As a result, this can lead to various security risks, including session hijacking and credential theft, exposing users to the potential of unauthorized actions controlled by the attacker.

References

https://onurcangenc.com.tr/blog/moodle-xss-pdfannotator

https://github.com/onurcangnc/moodle-xss-pdfannotator

https://onurcangenc.com.tr/posts/cve-2025-60506-stored-cr...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 21, 2025
Vulnerability Reserved
Sep 26, 2025

JSON