The vulnerability identified as CVE-2025-60506 affects the Moodle PDF Annotator plugin version 1.5 release 9. It is a stored cross-site scripting (XSS) flaw classified under CWE-79. The issue arises from insufficient sanitization of user input in the Public Comments feature, allowing an attacker with a low-privileged account (e.g., a student) to inject arbitrary JavaScript payloads into comments attached to annotated PDFs. When other users, including students, teachers, or administrators, open the annotated PDF within Moodle, the malicious script executes in their browser context. This execution can lead to session hijacking, credential theft, or other unauthorized actions controlled by the attacker. The vulnerability requires the victim to view the malicious comment, thus involving user interaction. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, user interaction needed, scope change, and partial impact on confidentiality and integrity but no impact on availability. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed as of October 21, 2025.

For European organizations, particularly educational institutions using Moodle with the PDF Annotator plugin, this vulnerability poses a significant risk to user data confidentiality and integrity. Attackers could hijack sessions of teachers or administrators, potentially gaining unauthorized access to sensitive educational resources or administrative functions. Credential theft could lead to broader compromise of Moodle environments or connected systems. The impact is heightened in environments with many users and frequent PDF annotation activities. Although availability is not directly affected, the breach of trust and potential data leakage could disrupt educational operations and damage institutional reputation. The medium severity rating suggests a moderate but actionable risk, especially given the low privilege required to exploit and the potential for lateral movement within the platform.

Organizations should immediately audit their Moodle installations to identify the use of the PDF Annotator plugin version 1.5 release 9. Until an official patch is released, administrators should consider disabling the Public Comments feature or restricting commenting privileges to trusted users only. Implementing strict input validation and output encoding on comment fields can reduce the risk of XSS payload injection. Additionally, deploying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular user education on phishing and suspicious content, combined with monitoring for unusual session activity, can help detect exploitation attempts. Finally, organizations should stay alert for official patches or updates from the plugin maintainers and apply them promptly once available.