CISA issues alert on cross-site scripting vulnerability in Lectora products

Lectora Desktop editions 21.0 through 21.3 and Lectora Online versions 7.1.6 and earlier have been found to contain a Cross-Site Scripting (XSS) vulnerability that affects courses published with Seamless Play Publish enabled while Web Accessibility is disabled. This vulnerability may lead to client-side script execution when exploited.

The vulnerability is identified as CVE-2025-9125 and impacts Lectora Inspire and Lectora Publisher desktop versions from 21.0 to 21.3, as well as Lectora Online versions 7.1.6 and older. The issue arises from how courses published with Seamless Play Publish enabled and Web Accessibility disabled handle crafted URL parameters, enabling JavaScript injection. The desktop version patch was released in version 21.4 on October 25, 2022, but requires users to republish existing courses to apply the fix. The update for Lectora Online, version 7.1.7, was deployed on July 20, 2025, with release notes emphasizing the need to republish courses.

Exploitation of this vulnerability could permit client-side script execution such as popups or redirects, which may allow session hijacking or user redirection risks for affected courses.

Patch versions 21.4 for Lectora Desktop (Inspire and Publisher) and 7.1.7 for Lectora Online address the vulnerability. Desktop users must download the patch from portal.elblearning.com and republish any previously created courses to ensure the fix takes effect. Online users received the update automatically but are also required to republish previously created courses.

The Computer Emergency Readiness Team (CERT) Coordination Center has released this advisory to highlight the vulnerability and the necessary remediation steps, reflecting the presence of prominent users including government agencies and large enterprises. Users are advised to follow the official guidance for patching and republishing courses as described.