The vulnerability identified as CVE-2025-60506 affects the Moodle PDF Annotator plugin version 1.5 release 9. It is a stored cross-site scripting (XSS) flaw that arises from insufficient input sanitization in the Public Comments feature of the plugin. Attackers with low-level access, such as students, can inject arbitrary JavaScript payloads into comments attached to annotated PDFs. When other users—including students, teachers, or administrators—open these annotated PDFs, the malicious script executes in their browsers within the context of the Moodle site. This execution can lead to session hijacking, allowing attackers to impersonate victims, steal credentials, or perform unauthorized actions on their behalf. The vulnerability leverages the trust users place in Moodle’s interface and the plugin’s comment functionality. Since the attack vector requires only low-privileged access and no user interaction beyond viewing the annotated PDF, the exploit is relatively easy to carry out once a malicious comment is posted. The vulnerability compromises confidentiality and integrity by exposing session tokens and credentials and potentially enabling privilege escalation or data manipulation. There is no CVSS score assigned yet, no known exploits in the wild, and no official patches or updates published at the time of disclosure. The Moodle platform is widely used in educational institutions globally, including Europe, making this vulnerability a significant concern for academic environments relying on this plugin for PDF annotation and collaboration.

For European organizations, especially educational institutions using Moodle with the PDF Annotator plugin, this vulnerability poses a serious risk. Exploitation can lead to unauthorized access to user sessions, exposing sensitive student and staff data, including personal information and academic records. Credential theft can facilitate further unauthorized access to Moodle or connected systems, potentially compromising the integrity of educational content and assessments. The attack can disrupt normal operations by undermining user trust and forcing emergency remediation efforts. Given the collaborative nature of Moodle, widespread exploitation could lead to significant data breaches and compliance issues under GDPR, resulting in legal and reputational damage. The vulnerability’s ease of exploitation by low-privileged users increases the likelihood of insider threats or opportunistic attacks. The lack of an official patch means organizations must rely on interim mitigations, increasing operational overhead and risk exposure until a fix is available.

1. Immediately restrict or disable the Public Comments feature in the PDF Annotator plugin until a security patch is released. 2. Implement strict input validation and sanitization on all comment fields to prevent JavaScript injection, using server-side filtering if possible. 3. Monitor user comments for suspicious content and remove any potentially malicious entries. 4. Limit the ability to add comments to trusted users or roles with higher privileges temporarily. 5. Educate users about the risk of clicking on annotated PDFs from untrusted sources within Moodle. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Regularly audit Moodle plugins and update them promptly when security patches become available. 8. Consider deploying web application firewalls (WAF) with rules to detect and block XSS payloads targeting Moodle. 9. Review and tighten session management policies to reduce the impact of session hijacking. 10. Prepare incident response plans specific to web application attacks involving Moodle.