CVE-2025-13254 is a SQL injection vulnerability identified in projectworlds Advanced Library Management System version 1.0, specifically in the /add_member.php script. The vulnerability arises due to insufficient sanitization of the roll_number parameter, which is used in SQL queries without proper validation or parameterization. This allows an attacker to craft malicious input that alters the intended SQL query logic, potentially enabling unauthorized access to or manipulation of the backend database. The vulnerability is remotely exploitable without requiring user interaction or elevated privileges, making it accessible to a wide range of attackers. The CVSS 4.0 base score is 5.3, reflecting medium severity, with attack vector as network, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is low to limited, but exploitation could expose sensitive member data or corrupt records. Although no active exploits have been observed in the wild, a public exploit is available, increasing the likelihood of future attacks. The lack of patches or vendor advisories at this time necessitates proactive mitigation by users. This vulnerability is particularly critical for organizations relying on this software for managing library memberships and records, as it could lead to data breaches or operational disruptions.

For European organizations, particularly educational institutions, libraries, and research centers using projectworlds Advanced Library Management System 1.0, this vulnerability poses a risk of unauthorized access to sensitive member data such as personal identification and borrowing records. Data confidentiality could be compromised, potentially violating GDPR and other data protection regulations. Integrity of the database could also be affected if attackers modify or delete records, disrupting library operations and trustworthiness of data. Although the availability impact is limited, successful exploitation could lead to denial of service if database corruption occurs. The presence of a public exploit increases the risk of targeted attacks, especially in countries with large academic and public library infrastructures. Organizations may face reputational damage, regulatory penalties, and operational challenges if the vulnerability is exploited.

1. Immediately implement input validation and sanitization for the roll_number parameter in /add_member.php to reject malicious inputs. 2. Refactor the code to use parameterized queries or prepared statements to prevent SQL injection attacks. 3. Conduct a thorough code audit of all input handling in the application to identify and remediate similar injection flaws. 4. Restrict database user privileges to the minimum necessary to limit the impact of potential exploitation. 5. Monitor web application logs for suspicious activity targeting the /add_member.php endpoint or unusual SQL errors. 6. If possible, isolate the library management system behind a web application firewall (WAF) configured to detect and block SQL injection attempts. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability. 8. Educate administrators and developers on secure coding practices to prevent future injection vulnerabilities.