Medium severity5.4NVD Advisory· Published Oct 21, 2025· Updated Apr 15, 2026

CVE-2025-60506

Description

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or Admin) views the annotated PDF, the payload is executed in their browser, leading to session hijacking, credential theft, or other attacker-controlled actions.

Affected products

Onurcangnc/Moodle Xss Pdfannotatorreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

onurcangenc.com.tr/blog/moodle-xss-pdfannotatornvd
onurcangenc.com.tr/posts/cve-2025-60506-stored-cross-site-scripting-xss-in-moodle-pdf-annotator-plugin-v1-5-release-9/nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000