CVE-2025-3647: 
PHP vulnerability analysis and mitigation

CVE-2025-3647 is a security vulnerability discovered in Moodle Learning Management System that was disclosed on April 25, 2025. The vulnerability affects Moodle versions 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17, and earlier unsupported versions. The flaw is related to insufficient authorization checks when accessing cohort data, which could allow users to access data they are not authorized to retrieve (Wiz, NVD).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that it requires network access and low privileges to exploit, with no user interaction needed (Wiz).

The vulnerability allows unauthorized users to access cohort data they should not have permission to retrieve. This could lead to unauthorized access to sensitive information about user groups within Moodle (Wiz).

The vulnerability has been fixed in Moodle versions 4.5.4, 4.4.8, 4.3.12, and 4.1.18. Organizations running affected versions should upgrade to these patched versions to mitigate the risk (Bugzilla).