CVE-2025-71179 Overview
CVE-2025-71179 is a reflected Cross-Site Scripting (XSS) vulnerability affecting Creativeitem Academy LMS version 7.0. The flaw resides in two endpoints: the search parameter sent to /academy/blogs and the string parameter sent to /academy/course_bundles/search/query. Attacker-supplied input is reflected into the rendered response without sufficient sanitization, allowing arbitrary JavaScript execution in the victim's browser. The issue is distinct from the fix delivered for CVE-2023-4119, which only addressed XSS in the query and sort_by parameters of /academy/home/courses. The vulnerability is tracked under CWE-79.
Critical Impact
Successful exploitation enables session hijacking, credential theft, and unauthorized actions executed in the context of authenticated LMS users, including administrators.
Affected Products
- Creativeitem Academy LMS 7.0
- CPE: cpe:2.3:a:creativeitem:academy_lms:7.0:*:*:*:*:*:*:*
- Component: creativeitem:academy_lms
Discovery Timeline
- 2026-02-03 - CVE-2025-71179 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-71179
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the Creativeitem Academy LMS web application. User-supplied input reaches the HTML response without proper output encoding or context-aware escaping. Two endpoints are confirmed vulnerable. The /academy/blogs endpoint reflects the search query parameter into the page body. The /academy/course_bundles/search/query endpoint reflects the string parameter in the same unsafe manner.
An attacker crafts a URL containing a malicious payload in the affected parameter and tricks an authenticated user into visiting it. The browser then executes the injected JavaScript in the origin of the LMS application. Because the application handles authenticated sessions for students, instructors, and administrators, the payload can read cookies, exfiltrate session tokens, alter rendered content, or initiate authenticated requests on behalf of the victim.
Root Cause
The root cause is missing input validation and output sanitization on the search and string request parameters before they are echoed into HTML responses. The earlier patch for CVE-2023-4119 narrowly addressed the query and sort_by parameters in /academy/home/courses and did not extend the sanitization pattern across other reflective endpoints. As a result, equivalent injection sinks remained exploitable.
Attack Vector
Exploitation requires user interaction. An attacker delivers a crafted link, typically through phishing, malicious advertising, or a third-party site, that points to the vulnerable LMS endpoint with an embedded JavaScript payload. Once an authenticated victim opens the link, the script runs under the LMS origin. The scope is changed because injected script can affect resources beyond the originally vulnerable component, including authenticated session data.
No verified proof-of-concept code is published as a controlled artifact in this dataset. Technical details and example payloads are described in the GitHub CVE-2025-71179 Advisory and an associated Exploit-DB entry.
Detection Methods for CVE-2025-71179
Indicators of Compromise
- Requests to /academy/blogs containing HTML or JavaScript metacharacters such as <script>, onerror=, or javascript: in the search parameter.
- Requests to /academy/course_bundles/search/query with encoded or raw script payloads in the string parameter.
- Outbound browser requests from LMS users to unfamiliar domains shortly after visiting Academy LMS URLs, suggesting token or cookie exfiltration.
- Unexpected administrative actions performed from valid sessions without corresponding interactive logins.
Detection Strategies
- Inspect web server and reverse proxy logs for query strings containing angle brackets, event handler attributes, or encoded variants on the affected endpoints.
- Deploy a Web Application Firewall (WAF) rule set targeting reflected XSS patterns on /academy/blogs and /academy/course_bundles/search/query.
- Correlate referrer headers pointing to external domains with subsequent privileged actions inside the LMS.
Monitoring Recommendations
- Forward web access logs into a centralized analytics or SIEM platform and alert on script-like payloads in search and string parameters.
- Monitor browser-side reports via a strict Content Security Policy (CSP) report-only directive to surface injection attempts.
- Track session anomalies such as concurrent sessions from disparate geolocations for administrator accounts.
How to Mitigate CVE-2025-71179
Immediate Actions Required
- Restrict public exposure of the Academy LMS instance and place it behind a WAF with reflected XSS rules enabled.
- Notify users, especially administrators and instructors, to avoid clicking unsolicited links pointing to the LMS domain.
- Rotate session cookies and force re-authentication for privileged accounts if suspicious activity is detected.
Patch Information
No vendor advisory or patch URL is included in the NVD record at the time of publication. Refer to the CreativeItem LMS Product Page and the Codecanyon LMS Product Page for vendor updates. Operators should upgrade to a fixed release once the vendor publishes a version addressing both affected parameters.
Workarounds
- Apply server-side input validation that rejects or HTML-encodes angle brackets, quotes, and event handler patterns in the search and string parameters.
- Enforce a strict Content Security Policy that disallows inline scripts and limits script sources to trusted origins.
- Set the HttpOnly and Secure flags on session cookies to reduce the impact of script-based token theft.
- Use SameSite cookie attributes to limit cross-site request forwarding from attacker-controlled pages.
# Configuration example: example Nginx rule to block obvious XSS payloads
# on the vulnerable endpoints until a vendor patch is applied.
location ~* ^/academy/(blogs|course_bundles/search/query) {
if ($args ~* "(<|%3C)\s*script|onerror=|javascript:") {
return 403;
}
proxy_pass http://academy_lms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

