Description
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.
Published: 2026-03-18
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when the plugin fails to verify that the supplied element identifier belongs to the authorized course context during certificate element edits, allowing a teacher with the mod/customcert:manage capability in any single course to view and silently overwrite certificate elements belonging to other courses. This results in unauthorized disclosure and data tampering, classically classified as improper authorization (CWE-639).

Affected Systems

Affected systems are Moodle installations that use the mdjnelson/moodle-mod_customcert plugin with versions earlier than 4.4.9 for the 4.x line and earlier than 5.0.3 for the 5.x line. All courses managed by users holding the mod/customcert:manage capability are potential targets.

Risk and Exploitability

The CVSS score is 9.6, indicating a critical severity. EPSS data is not available, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires only teacher-level access with the mod/customcert:manage capability; no additional conditions or privileges are needed. An attacker can trigger the flaw by sending requests to the core_get_fragment callback editelement or to the mod_customcert_save_element web service, benefiting from the missing ownership check on elementid.

Generated by OpenCVE AI on March 18, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mdjnelson/moodle-mod_customcert plugin to version 4.4.9 or 5.0.3, which includes the fix for this authorization bypass

Generated by OpenCVE AI on March 18, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mdjnelson
Mdjnelson moodle-mod Customcert
Vendors & Products Mdjnelson
Mdjnelson moodle-mod Customcert

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.
Title mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Mdjnelson Moodle-mod Customcert
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:17:40.756Z

Reserved: 2026-03-06T00:04:56.700Z

Link: CVE-2026-30884

cve-icon Vulnrichment

Updated: 2026-03-18T19:17:37.085Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T04:17:18.030

Modified: 2026-04-16T14:46:24.290

Link: CVE-2026-30884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:30Z

Weaknesses