Description
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
Remediation
References
Related Vulnerabilities
WordPress Plugin PhastPress Open Redirect (1.110)
WordPress Plugin Broken Link Checker Cross-Site Scripting (1.10.8)
WordPress Plugin Citizen Space Cross-Site Scripting (1.0)
MySQL Other Vulnerability (CVE-2006-1517)
WordPress Plugin Chained Quiz Multiple Cross-Site Scripting Vulnerabilities (0.9.8)