Chamilo LMS, an open-source learning management system, contains a critical SQL Injection vulnerability identified as CVE-2025-50188 (CWE-89). This vulnerability exists in versions prior to 1.11.30 due to improper neutralization of special elements in SQL commands. Specifically, the affected scripts /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php fail to adequately validate or sanitize the GET parameter 'value'. This flaw allows an attacker with high privileges to manipulate the SQL query logic by injecting arbitrary SQL statements, potentially leading to unauthorized data access, modification, or deletion within the LMS database. The vulnerability does not require user interaction but does require the attacker to have elevated privileges, which may limit exploitation to insiders or compromised accounts. The issue has been addressed and patched in Chamilo LMS version 1.11.30. The CVSS v4.0 score is 7.0, reflecting high severity due to network attack vector, low attack complexity, no user interaction, and significant impact on confidentiality, integrity, and availability of data. No known exploits have been reported in the wild as of the publication date.

The vulnerability poses a significant risk to organizations using vulnerable Chamilo LMS versions, potentially exposing sensitive educational data, user credentials, and institutional records. Successful exploitation can lead to unauthorized data disclosure, data tampering, or complete compromise of the LMS database. This can disrupt educational services, damage organizational reputation, and lead to regulatory compliance issues, especially where personal data is involved. Since Chamilo LMS is widely used in educational institutions globally, the impact can be broad, affecting schools, universities, and training providers. The requirement for high privileges to exploit somewhat limits the attack surface but does not eliminate insider threats or risks from compromised administrative accounts. The absence of known exploits in the wild suggests limited active exploitation currently, but the availability of a public CVE and patch may increase attacker interest.

Organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where the vulnerability is patched. Until upgrades are possible, restrict access to the affected plugin scripts and monitor logs for suspicious GET requests targeting 'value' parameters. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns specific to Chamilo LMS plugin endpoints. Enforce the principle of least privilege by limiting administrative and plugin access rights to trusted users only. Conduct regular security audits and vulnerability scans focusing on web application inputs. Additionally, consider database activity monitoring to detect anomalous queries indicative of injection attempts. Educate administrators about the risks of SQL injection and the importance of timely patching. Finally, maintain up-to-date backups to enable recovery in case of data compromise.