CVE-2025-60506

Name of the Vulnerable Software and Affected Versions Moodle PDF Annotator plugin version 1.5 release 9

Description The Moodle PDF Annotator plugin contains a flaw that permits stored cross-site scripting (XSS) through the Public Comments feature. An attacker possessing a low-privileged account, such as a Student, can inject arbitrary JavaScript payloads into a comment. When another user—including Students, Teachers, or Administrators—views the annotated PDF, the injected payload is executed within their browser. This can result in session hijacking or credential theft. The vulnerable feature allows for the injection of malicious code via the Public Comments functionality.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.