CVE-2025-3625
Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action
7.1
HIGH
CVSS 3.1
EPSS 0.10%
Description
A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).
How to fix CVE-2025-3625
To remediate CVE-2025-3625, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.12 or later
Is CVE-2025-3625 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |