Vulnerability Research
CVE-2025-60507 | Moodle GeniAI plugin v2.3.6: XSS via PDF Upload & Prompt Injection
Chained XSS and prompt injection in Moodle GeniAI plugin v2.3.6 via PDF upload. Demonstrates AI-integrated plugin security risks.
Articles
Penetration Testing
CVE-2025-60511: IDOR
Insecure direct object reference in Moodle's OpenAI Chat Block plugin exposing unauthorized access to chat data. Full exploitation walkthrough and CVE details.
Penetration Testing
CVE-2025-60506 | Stored Cross-Site Scripting (XSS) in Moodle PDF Annotator plugin (v1.5 release 9)
Stored XSS in Moodle PDF Annotator plugin v1.5 release 9 through malicious annotation content. Technical analysis and responsible disclosure details.
Vulnerability Research
CVE-2025-57520 – Stored XSS in Decap CMS (<= 3.8.3)
Stored XSS vulnerability in Decap CMS versions up to 3.8.3 allowing script injection through content fields. Includes PoC and remediation steps.
HackTheBox
HTB Nibbles: File Upload to Root
Nibbleblog CMS arbitrary file upload vulnerability for initial shell, then root access through sudo misconfiguration on Linux.
CTF Writeups
HTB Devvortex: From Joomla Info Disclosure to Root
Joomla information disclosure (CVE-2023-23752) leaking database credentials, then privilege escalation to root via apport-cli on Linux.