CVE-2025-9125: Cross-Site Scripting Flaw in Lectora Courses Puts E-Learning Platforms at Risk

The CERT Coordination Center (CERT/CC) has issued a vulnerability note warning of a cross-site scripting (XSS) flaw affecting Lectora, a widely used e-learning authoring platform developed by ELB Learning. The flaw, tracked as CVE-2025-9125, impacts both desktop and cloud-based versions of the software when specific publishing settings are enabled.

According to the note, “Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled.”

The flaw arises from improper handling of crafted URL parameters in courses published with affected versions. When exploited, the vulnerability allows malicious JavaScript injection.

As CERT/CC explains, “Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a risk of session hijacking or user redirection.”

This makes it possible for attackers to steal session cookies, hijack user sessions, or redirect learners to malicious websites disguised as part of the training content.

The following software releases are vulnerable:

• Lectora Inspire and Lectora Publisher (desktop editions) versions 21.0–21.3
• Lectora Online versions 7.1.6 and older

The vulnerability was first patched in Lectora Desktop version 21.4 (October 25, 2022). However, the critical step of republishing courses to apply the fix was missing from the release notes.

The CERT/CC note stresses, “This important republishing instruction was missing from the Desktop edition release notes, but it was included in the release notes for the recently patched Lectora Online (July 20, 2025).”

The fix is available, but applying it requires action from users:

• Lectora Desktop customers must upgrade to version 21.4 or later and republish all previously created courses to ensure patched output.
• Lectora Online customers were automatically updated to version 7.1.7 on July 20, 2025, but must also republish older courses for the fix to take effect.

Related Posts:

• Google launches free AI and machine learning online resources for everyone
• Microsoft launches 10 new open courses AI training

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy