CVE-2025-52470 is a stored cross-site scripting (XSS) vulnerability identified in the Chamilo Learning Management System (LMS), specifically affecting versions prior to 1.11.30. The vulnerability exists in the session_category_add.php script due to improper neutralization of input during web page generation, classified under CWE-79. Privileged users can exploit this by injecting malicious JavaScript code into the Category Name field, which is not properly sanitized before being stored. This persistent script is then executed when an administrator or user with sufficient privileges accesses the add_many_sessions_to_category.php page, potentially allowing the attacker to hijack administrative sessions or perform unauthorized actions within the LMS environment. The vulnerability requires the attacker to have high privileges (e.g., a user with rights to add categories) and some user interaction to trigger the payload execution. The CVSS v3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed, with impacts on confidentiality and integrity but no availability impact. The issue has been addressed and patched in Chamilo LMS version 1.11.30. No known exploits have been reported in the wild to date. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling privileged user input and administrative functions.

The primary impact of CVE-2025-52470 is the potential compromise of administrative sessions within Chamilo LMS installations running vulnerable versions. Successful exploitation can lead to unauthorized access to sensitive administrative functions, data leakage, and manipulation of LMS content or user data. This can undermine the confidentiality and integrity of the learning management environment, potentially affecting course management, user records, and institutional data. While the vulnerability does not affect availability, the breach of administrative privileges can facilitate further attacks or unauthorized changes. Organizations relying on Chamilo LMS for education or training may face reputational damage, compliance issues, and operational disruptions if exploited. The requirement for high privileges and user interaction limits the attack surface but does not eliminate risk, especially in environments with many privileged users or insufficient access controls.

To mitigate CVE-2025-52470, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. In addition, implement strict input validation and output encoding on all user-supplied data fields, especially those accessible by privileged users. Restrict the number of users with high privileges to minimize the risk of malicious input injection. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS payloads by restricting script execution sources. Regularly audit and monitor LMS logs for unusual activity related to category management or session handling. Conduct security awareness training for privileged users to recognize and avoid unsafe practices. Finally, consider deploying web application firewalls (WAFs) with rules tuned to detect and block XSS attack patterns targeting the LMS.