CVE-2025-11304 is a medium severity vulnerability identified in the CodeCanyon Mentor LMS product, specifically affecting versions 1.1.0 and 1.1.1. The vulnerability arises from a permissive cross-domain policy configuration within an unspecified API component of the LMS. This misconfiguration allows untrusted domains to interact with the application in ways that should normally be restricted. The flaw can be exploited remotely without requiring authentication, and user interaction is needed to trigger the vulnerability. The permissive cross-domain policy can lead to unauthorized cross-origin resource sharing, potentially enabling attackers to perform cross-site scripting (XSS), data theft, or session hijacking by exploiting the trust relationship between the LMS and the permitted domains. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a medium severity level, with network attack vector, low complexity, no privileges required, but requiring user interaction. The impact on confidentiality, integrity, and availability is low to limited, but the scope is confined to the affected LMS installations. The vendor was notified but did not respond, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, the exploit code has been published, increasing the risk of exploitation over time.

For European organizations using Mentor LMS versions 1.1.0 or 1.1.1, this vulnerability poses a risk of unauthorized data access or manipulation through cross-origin attacks. Educational institutions, corporate training departments, and other entities relying on Mentor LMS could face data leakage of sensitive user information, including personal data protected under GDPR. The integrity of training content and user session data could also be compromised, potentially undermining trust in the LMS platform. While the vulnerability does not directly lead to system takeover or denial of service, the ability to exploit cross-domain policies can facilitate further attacks such as credential theft or phishing campaigns. Given the remote exploitability and the lack of authentication requirements, attackers can target European organizations with minimal barriers, especially if users are tricked into interacting with malicious content. The absence of vendor response and patches increases the urgency for organizations to implement compensating controls.

European organizations should immediately audit their Mentor LMS deployments to identify affected versions (1.1.0 and 1.1.1). Until an official patch is released, organizations should consider the following mitigations: 1) Restrict cross-origin resource sharing (CORS) policies at the web server or application firewall level to allow only trusted domains. 2) Implement Content Security Policy (CSP) headers to limit the sources of executable scripts and reduce the risk of cross-site scripting. 3) Educate users to avoid interacting with suspicious links or content that could trigger the vulnerability. 4) Monitor network traffic for unusual cross-domain requests or data exfiltration attempts. 5) If feasible, isolate the LMS environment from public internet access or restrict access via VPN or IP whitelisting. 6) Engage with CodeCanyon or the LMS vendor for updates and patches, and plan for prompt application of fixes once available. 7) Consider upgrading to a newer, unaffected version if available or migrating to alternative LMS platforms with better security posture.