Moodle: ajax section delete does not respect course_can_delete_section()
Description
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle fails to enforce capability checks when deleting course sections, allowing users to delete sections they lack permission to modify.
Root
Cause
The vulnerability arises from insufficient access control checks in Moodle's course section deletion functionality. While the platform requires appropriate permissions to modify course sections, the deletion operation was missing a critical capability check, allowing users to bypass intended restrictions [1][2].
Attack
Vector
An authenticated user with course access—who does not hold the 'moodle/course:sectiondelete' or similar modification capabilities—can issue requests to delete course sections. The application fails to verify whether the user has the necessary permissions before processing the deletion, effectively making the action available to any user who can interact with the course interface [1][2].
Impact
Successful exploitation permits unauthorized deletion of course sections, potentially removing educational content, activities, and resources that legitimate instructors or administrators have structured. This can disrupt course delivery and require administrative recovery efforts to restore lost data [1][2].
Mitigation
The Moodle project has addressed this issue following the disclosure (tracked as MDL-83994) [3][4]. Administrators are strongly advised to update Moodle installations to the latest patched version that enforces the missing capability checks. No workarounds have been published, and applying the vendor-supplied fix is the recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.18 | 4.1.18 |
moodle/moodlePackagist | >= 4.3.0-beta, < 4.3.12 | 4.3.12 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.8 | 4.4.8 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.4 | 4.5.4 |
Affected products
4- osv-coords2 versions
< 4.1.18+ 1 more
- (no CPE)range: < 4.1.18
- (no CPE)range: < 4.1.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cpm7-mv33-jwf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3644ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-3644ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.