CVE-2025-26529 PoC — Stored XSS risk in admin live log

Source

https://github.com/Astroo18/PoC-CVE-2025-26529

Associated Vulnerability

Title:Stored XSS risk in admin live log (CVE-2025-26529)
Description:Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Description

SSRF to XSS - XSS to RCE Moodle

Readme

# PoC for CVE-2025-26529 – Moodle XSS to RCE Exploit

This is a Proof of Concept (PoC) demonstrating the SSRF to XSS → XSS to RCE vulnerability chain in Moodle.

## Overview

I’ve uploaded all the necessary files to demonstrate the full chain of exploitation:
1. **SSRF to XSS**
2. **Grabbing the admin cookie**
3. **Using the admin cookie to achieve Remote Code Execution (RCE) in Moodle**

Tested on Moodle version **4.4.5 (Build: 20241209)**.

## Important Instructions

Before proceeding, **make sure to carefully review the files**. You'll need to modify certain elements like your **IP address**.

## PoC Video

For a step-by-step walkthrough, I’ve also uploaded a video demonstrating the exploit:

[PoC for CVE-2025-26529](https://youtu.be/WUUBz1Pq-o4)

## Mitigation Recommendations

To mitigate this vulnerability:
- **Disable the guest user** in Moodle.
- **Update to the latest version** of Moodle.

## Credits

Special thanks to **p0dalirius**, from whom I got the plugin used to upload and gain Remote Code Execution in Moodle.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!