CVE-2025-71179 identifies a reflected Cross-Site Scripting (XSS) vulnerability in Creativeitem Academy LMS version 7.0. The vulnerability arises from insufficient input sanitization of user-supplied data in two distinct endpoints: the 'search' parameter on /academy/blogs and the 'string' parameter on /academy/course_bundles/search/query. Unlike the previously patched CVE-2023-4119, which addressed XSS in different parameters, this vulnerability remains unpatched and allows attackers to inject malicious JavaScript code that is reflected back in the HTTP response. When a victim user accesses a crafted URL containing the malicious payload, the script executes in their browser context, potentially leading to session hijacking, theft of sensitive information, or redirection to malicious sites. The CVSS 3.1 base score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, possibly impacting user data confidentiality and integrity. No known exploits have been reported in the wild, but the presence of this vulnerability in an LMS platform used for educational content delivery poses a risk to both users and administrators. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The lack of available patches necessitates immediate mitigation efforts by affected organizations.

For European organizations, especially those in the education and corporate training sectors using Creativeitem Academy LMS 7.0, this vulnerability can lead to unauthorized disclosure of user session tokens or personal data, enabling account takeover or phishing attacks. The reflected XSS can undermine user trust and lead to reputational damage. Confidentiality and integrity of user data are at risk, though availability is not directly impacted. Attackers can exploit this vulnerability remotely without authentication but require user interaction, such as clicking a malicious link. This risk is heightened in environments where users have elevated privileges or access sensitive educational content. Additionally, regulatory compliance concerns arise under GDPR due to potential personal data exposure. The vulnerability could also be leveraged as a stepping stone for more complex attacks within the LMS ecosystem or connected systems.

Given the absence of an official patch, European organizations should implement immediate mitigations including: 1) Applying strict input validation and sanitization on the affected parameters to remove or encode potentially malicious characters; 2) Implementing robust output encoding (e.g., HTML entity encoding) to prevent script execution in the browser; 3) Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts; 4) Educating users to avoid clicking suspicious links and reporting unexpected behavior; 5) Monitoring web server logs for unusual request patterns targeting the vulnerable endpoints; 6) If feasible, temporarily disabling or restricting access to the vulnerable endpoints until a patch is available; 7) Keeping the LMS and underlying web server software up to date to reduce attack surface; 8) Considering the use of Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting these parameters. These measures collectively reduce the risk of exploitation while awaiting an official fix.