Insecure Direct Object Reference in Moodle OpenAI Chat Block Plugin
CVE-2025-60511

Currently unrated

Key Information:

Vendor: Moodle
Status: OpenAI Chat Block
Vendor: CVE Published:; 21 October 2025

What is CVE-2025-60511?

The Moodle OpenAI Chat Block plugin version 3.0.1 suffers from an Insecure Direct Object Reference (IDOR) vulnerability caused by inadequate validation of the blockId parameter in the API endpoint /blocks/openai_chat/api/completion.php. This issue allows an authenticated student to impersonate another user's block, such as that of an administrator, enabling them to send queries executed under the configuration of that block. As a result, sensitive administrator-only data may be exposed, the behavior of the model could be tampered with, and API resources may be misused.

References

http://moodle.com

http://openai.com

https://onurcangenc.com.tr/posts/idor-in-moodle-openai-ch...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 21, 2025
Vulnerability Reserved
Sep 26, 2025

JSON