CVE-2025-53021: 
PHP vulnerability analysis and mitigation

A session fixation vulnerability (CVE-2025-53021) was discovered in Moodle 3.x through 3.11.18 on June 24, 2025. The vulnerability affects unsupported versions of the Moodle learning management system and allows unauthenticated attackers to hijack user sessions through manipulation of the sesskey parameter (NVD, Wiz).

The vulnerability exists in the OAuth2 login flow where the sesskey parameter can be obtained without authentication. An attacker can create a session, extract the sesskey value, and craft a malicious OAuth2 login URL. The vulnerability has been assigned a CVSS v3.1 score of 4.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N and is classified as CWE-384 (Session Fixation) (NVD, Wiz).

Successful exploitation of this vulnerability results in full account takeover of the victim's Moodle account. The attacker can gain unauthorized access to the victim's account and all associated course materials, personal information, and learning resources (NVD, Moodle OAuth2 CVE).

As this vulnerability affects versions that are no longer supported by the maintainer (Moodle 3.x through 3.11.18), there is no official patch available. According to the Moodle Releases page, bug fixes for security issues in 3.11.x ended December 11, 2023. Organizations still running affected versions should upgrade to a supported version of Moodle (NVD, Moodle Releases).