CVE-2025-26528: 
PHP vulnerability analysis and mitigation

The CVE-2025-26528 vulnerability affects the drag-and-drop onto image (ddimageortext) question type in Moodle, which required additional sanitizing to prevent a stored Cross-Site Scripting (XSS) risk. The vulnerability was discovered by Vincent Schneider (cli-ish) and was disclosed on February 18, 2025. The affected versions include Moodle 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15, and earlier unsupported versions (Moodle Forum).

The vulnerability is classified as a stored XSS (CWE-79) issue in the drag-and-drop onto image question type component. The CVSS v3.1 base score is 3.4 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N, indicating that it is a network-accessible vulnerability requiring high attack complexity, no privileges, and user interaction (NVD).

The vulnerability allows for stored Cross-Site Scripting attacks, which could potentially allow attackers to inject malicious scripts that would be executed when users view the affected question type. The severity is rated as Minor according to Moodle's security assessment (Moodle Forum).

The vulnerability has been fixed in Moodle versions 4.5.2, 4.4.6, 4.3.10, and 4.1.16. Users are advised to upgrade to these patched versions to mitigate the risk (Moodle Forum).