CVE-2026-30884

Name of the Vulnerable Software and Affected Versions mdjnelson/moodle-mod customcert versions prior to 4.4.9 and 5.0.3

Description The mdjnelson/moodle-mod customcert plugin for Moodle, used for creating dynamically generated certificates, contains a flaw where a teacher with the mod/customcert:manage permission in any course can read and silently overwrite certificate elements belonging to other courses within the Moodle installation. This occurs because the core get fragment callback editelement and the mod customcert save element web service do not verify that the supplied elementid belongs to the authorized context. This enables cross-course information disclosure and data tampering. The elementid parameter is vulnerable, allowing unauthorized access and modification of certificate data.

Recommendations Versions prior to 4.4.9 should be updated to version 4.4.9 or later. Versions prior to 5.0.3 should be updated to version 5.0.3 or later.