CVE-2025-13121 identifies a SQL injection vulnerability in cameasy Liketea version 1.0.0, specifically within the list function of the StoreController.php file in the Laravel framework. The vulnerability is triggered by manipulation of the lng/lat parameters passed to the API endpoint, which are not properly sanitized or parameterized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially leading to unauthorized data retrieval, modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting its network attack vector, lack of required privileges or user interaction, and limited scope and impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the public disclosure increases the risk of exploitation attempts. The affected component is part of the API endpoint handling store-related data, which could expose sensitive business or customer information if compromised. The vulnerability stems from insecure coding practices, such as directly embedding user-controlled input into SQL queries without proper escaping or use of prepared statements. This flaw is typical in web applications that fail to enforce strict input validation and secure database interaction patterns.

For European organizations using cameasy Liketea 1.0.0, this vulnerability poses a significant risk to the confidentiality and integrity of their data. Exploitation could lead to unauthorized access to sensitive customer or business data, data corruption, or disruption of service availability. Retailers and e-commerce platforms relying on this software could suffer financial losses, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The remote, unauthenticated nature of the attack vector increases the likelihood of exploitation by external threat actors, including cybercriminals targeting European markets. Additionally, the public disclosure of the vulnerability may lead to automated scanning and exploitation attempts, increasing the urgency for mitigation. The impact is particularly critical for organizations with large customer databases or those integrated with payment processing systems. Operational disruptions could also arise if attackers manipulate or delete critical data, affecting business continuity.

1. Immediate application of vendor patches or updates once available is the most effective mitigation. 2. In the absence of patches, implement strict input validation and sanitization on the lng/lat parameters at the API gateway or web application firewall (WAF) level to block malicious payloads. 3. Refactor the vulnerable code to use prepared statements or parameterized queries to prevent SQL injection. 4. Employ runtime application self-protection (RASP) tools to detect and block injection attempts in real-time. 5. Monitor API logs and network traffic for unusual query patterns or spikes in error rates indicative of exploitation attempts. 6. Conduct code audits and penetration testing focused on input handling and database interactions to identify and remediate similar vulnerabilities. 7. Educate developers on secure coding practices, emphasizing the dangers of unsanitized input in SQL queries. 8. Limit database user privileges to the minimum necessary to reduce the impact of a successful injection attack. 9. Deploy anomaly detection systems to alert on suspicious activities related to the affected API endpoints. 10. Prepare incident response plans tailored to SQL injection incidents to minimize damage and recovery time.