Description
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
Remediation
References
Related Vulnerabilities
WordPress Plugin Galleries by Angie Makes Cross-Site Scripting (1.67)
WordPress Cleartext Storage of Sensitive Information Vulnerability (CVE-2017-14990)
Three.js Uncontrolled Resource Consumption Vulnerability (CVE-2020-28496)
WordPress Plugin demon image annotation Cross-Site Request Forgery (4.7)
Piwigo Exposure of Resource to Wrong Sphere Vulnerability (CVE-2022-26267)