CVE-2025-3636: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Moodle (CVE-2025-3636) that allows unauthorized users to access and view RSS feeds due to insufficient capability checks. The vulnerability was disclosed on April 25, 2025, and affects Moodle versions 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17, and earlier unsupported versions (Wiz Security, NVD).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue stems from inadequate permission checks in the Moodle RSS Block component, which fails to properly validate user capabilities before allowing access to RSS feeds (NVD, Wiz Security).

The vulnerability allows unauthorized users to view RSS feeds that they should not have access to, potentially exposing sensitive information that was intended to be restricted. The impact is limited to confidentiality breach with no effect on integrity or availability of the system (Wiz Security).

The vulnerability has been fixed in Moodle versions 4.5.4, 4.4.8, 4.3.12, and 4.1.18. Users are advised to upgrade to these patched versions to address the security issue (Bugzilla).