CVE-2026-30884 in moodle-mod_customcert
Summary
by MITRE • 03/18/2026
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-30884 affects the mdjnelson/moodle-mod_customcert plugin, a widely used Moodle extension for generating customizable certificates. This plugin allows educators to create dynamically generated certificates with extensive customization options through a web browser interface. The flaw resides in the plugin's insufficient access control mechanisms, specifically within two critical functions that handle certificate element management. The vulnerability impacts Moodle installations running versions prior to 4.4.9 and 5.0.3, creating a serious security risk that extends beyond individual course boundaries.
The technical flaw manifests in two primary functions within the plugin's architecture. The `core_get_fragment` callback with the `editelement` parameter and the `mod_customcert_save_element` web service both lack proper validation of the `elementid` parameter against the user's authorization context. This absence of context validation creates a privilege escalation scenario where a teacher possessing the `mod/customcert:manage` capability in one course can access and manipulate certificate elements belonging to any other course within the same Moodle installation. The vulnerability stems from a failure to implement proper access control checks that should verify whether the requested element belongs to the course context of the authenticated user.
This cross-course information disclosure and data tampering capability represents a significant operational impact that undermines the fundamental security model of Moodle's course isolation. An attacker with minimal privileges in one course can silently overwrite certificate elements, potentially compromising the integrity of academic records across multiple courses. The vulnerability enables unauthorized modification of certificate templates, text content, and structural elements that may contain sensitive information or academic credentials. The silent overwrite capability means that such modifications occur without audit trail or notification to legitimate course administrators, making detection particularly challenging.
The vulnerability aligns with CWE-285, which addresses insufficient authorization, and represents a clear violation of the principle of least privilege in the context of Moodle's role-based access control system. From an ATT&CK perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it allows attackers to leverage legitimate teacher accounts to access unauthorized course data. The issue also reflects poor input validation practices as outlined in CWE-20, where the system fails to properly validate that user-supplied parameters reference authorized resources. Organizations using Moodle installations with affected versions face potential academic credential fraud, data integrity compromise, and unauthorized access to sensitive educational information across their institutional network.
The remediation strategy requires immediate deployment of patches to versions 4.4.9 and 5.0.3, which contain the necessary access control fixes. System administrators should conduct thorough vulnerability assessments to identify all affected Moodle installations and implement proper access control monitoring. Additionally, organizations should review and audit existing course permissions to ensure that users have appropriate authorization levels for certificate management. Regular security updates and patch management processes should be enforced to prevent similar vulnerabilities from emerging in other Moodle plugins or components. The fix addresses the core issue by implementing proper context validation that ensures certificate element operations only affect resources within the authenticated user's authorized course scope, thereby restoring the expected security boundaries between courses.