Medium severity4.3NVD Advisory· Published Oct 21, 2025· Updated Apr 15, 2026

CVE-2025-60511

Description

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources.

Affected products

Onurcangnc/Moodle Block Openai Chatreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

moodle.comnvd
openai.comnvd
onurcangenc.com.tr/posts/idor-in-moodle-openai-chat-block-block_openai_chat-proof-of-concept-poc--cve-2025-60511/nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000