Chamilo LMS, a widely used open-source learning management system, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-52470. This vulnerability exists in versions prior to 1.11.30 within the session_category_add.php script, where the Category Name input field is not properly sanitized. Privileged users can exploit this flaw by injecting malicious JavaScript code that is persistently stored. When an administrator or authorized user accesses the add_many_sessions_to_category.php page, the injected script executes within their browser context. This can lead to session hijacking, unauthorized actions, or theft of sensitive information. The vulnerability requires the attacker to have high privileges (PR:H) and some user interaction (UI:R), but it does not impact system availability. The CVSS v3.1 base score is 4.8 (medium severity), reflecting limited confidentiality and integrity impact without availability loss. The issue has been addressed and patched in Chamilo LMS version 1.11.30. No public exploits have been reported to date, but the vulnerability poses a risk in environments where multiple administrators or privileged users manage LMS content.

The primary impact of this vulnerability is the potential compromise of administrative sessions through persistent XSS attacks. Attackers with privileged access can inject malicious scripts that execute in the context of other administrators, potentially leading to session hijacking, unauthorized changes to LMS content or settings, and exposure of sensitive data. While availability is not affected, the integrity and confidentiality of the LMS environment are at risk. Organizations relying on Chamilo LMS for educational or training purposes may face disruption of trust, data leakage, or unauthorized administrative control. The risk is heightened in environments with multiple administrators or where privilege separation is weak. Although no known exploits exist currently, the vulnerability could be leveraged in targeted attacks against educational institutions or organizations using Chamilo LMS globally.

To mitigate this vulnerability, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the issue is patched. In addition, implement strict input validation and output encoding on all user-supplied data, especially fields accessible by privileged users. Limit the number of users with high privileges to reduce the attack surface. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly audit LMS user roles and permissions to ensure least privilege principles are enforced. Monitor LMS logs for unusual activity related to category management pages. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Chamilo LMS endpoints. Finally, educate administrators about the risks of XSS and safe handling of input fields.