The mdjnelson moodle-mod_customcert plugin is designed to allow dynamic creation and customization of certificates within Moodle courses. However, in affected versions prior to 4.4.9 and from 5.0.0 up to but not including 5.0.3, there exists a critical authorization bypass vulnerability (CVE-2026-30884) classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Specifically, a teacher who has the 'mod/customcert:manage' capability in any single course can exploit the lack of proper context verification in the 'core_get_fragment' callback 'editelement' and the 'mod_customcert_save_element' web service. These components fail to confirm that the 'elementid' parameter corresponds to certificate elements within the teacher's authorized course context. As a result, the attacker can read sensitive certificate data and silently overwrite certificate elements belonging to other courses across the entire Moodle installation. This cross-course authorization flaw compromises both confidentiality and integrity of certificate data. The vulnerability is remotely exploitable over the network without user interaction but requires the attacker to have teacher-level privileges in at least one course. The issue was addressed in versions 4.4.9 and 5.0.3 by implementing proper context validation to ensure that certificate elements can only be accessed or modified within authorized courses. No public exploits have been reported to date, but the high CVSS score of 9.6 reflects the critical impact and ease of exploitation once privileges are obtained.

This vulnerability poses a significant risk to educational institutions and organizations using Moodle with the mdjnelson moodle-mod_customcert plugin. An attacker with teacher-level permissions in any course can escalate their access to manipulate certificate data across all courses, potentially issuing fraudulent certificates or altering legitimate ones. This undermines the trustworthiness and integrity of certification processes, which can have legal and reputational consequences. Confidential information related to certificates may also be disclosed across course boundaries, violating privacy and data protection requirements. Since the vulnerability does not require user interaction and can be exploited remotely by authorized teachers, the scope of impact is broad within affected Moodle deployments. Organizations relying on these certificates for accreditation, compliance, or credentialing face risks of fraud, data tampering, and loss of confidence in their learning management systems.

Organizations should immediately upgrade the mdjnelson moodle-mod_customcert plugin to version 4.4.9 or 5.0.3 or later, where the authorization checks have been properly implemented. Until patching is possible, restrict teacher permissions to only trusted personnel and audit existing teacher roles to minimize exposure. Implement strict role-based access controls and monitor logs for unusual certificate element access or modifications across courses. Consider isolating courses or instances where feasible to limit lateral movement. Regularly review and update Moodle and plugin versions to incorporate security fixes promptly. Additionally, conduct internal audits of issued certificates to detect any unauthorized changes or anomalies that may have occurred prior to patching. Employ network segmentation and secure authentication mechanisms to reduce the risk of privilege escalation to teacher roles.