PT-2025-42919 · WordPress · Moodle Geniai Plugin+1

Published

2025-10-21

Updated

2025-10-21

CVE-2025-60507

CVSS v3.1

8.9

High

Vector

AC:L/AV:N/A:L/C:H/I:H/PR:L/S:C/UI:R

Name of the Vulnerable Software and Affected Versions Moodle GeniAI plugin (local geniai) version 2.3.6

Description A cross-site scripting issue exists in the Moodle GeniAI plugin (local geniai). An authenticated user with Teacher role can upload a PDF file containing embedded JavaScript. The plugin generates a direct HTML link to the uploaded file without proper sanitization. When other users click this link, the JavaScript code executes in their browser. The vulnerable component is local geniai.

Recommendations Update to a newer version of the Moodle GeniAI plugin that addresses this issue.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-60507

Affected Products

Moodle Geniai Plugin

Local Geniai

PT-2025-42919 · WordPress · Moodle Geniai Plugin+1

CVE-2025-60507

Weakness Enumeration

Related Identifiers

Affected Products

References · 10