Listen to this Post
This vulnerability exists in Moodle’s account confirmation email service. The function responsible for sending confirmation emails lacks robust rate-limiting controls. A remote attacker can send repeated, automated HTTP POST requests to the relevant endpoint (e.g., /login/confirm.php). Each request can attempt to guess a valid user’s username or email address. Because the system does not sufficiently restrict the number of attempts from a single IP address or session over a short period, it returns discernibly different responses for existing versus non-existing accounts. This allows for efficient user enumeration, reducing the attack surface for subsequent brute-force password attacks. By systematically probing the service, an attacker can compile a list of valid usernames, which significantly increases the success rate of credential-stuffing or password-guessing campaigns against the platform.
DailyCVE Form:
Platform: Moodle
Version: <4.1.22, 4.4.0-4.4.11, 4.5.0-4.5.7, 5.0.0-5.0.3, 5.1.0
Vulnerability: Account Enumeration Brute-force
Severity: High
Date: 2026-02-03
Prediction: Patch Released
What Undercode Say:
curl -X POST https://target/login/confirm.php -d "user=guess1" curl -X POST https://target/login/confirm.php -d "user=guess2" for user in $(cat wordlist.txt); do curl -s -X POST $URL -d "user=$user" | grep -q "valid" && echo "Found: $user"; done
How Exploit:
Automate POST requests to confirmation endpoint. Analyze responses for differences indicating valid accounts. Use gathered list for credential brute-force.
Protection from this CVE:
Apply official patches. Implement web-application firewall (WAF) rules. Enforce strict rate limiting.
Impact:
User account compromise. Credential theft. Unauthorized access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

