CVE-2025-13255 identifies a SQL injection vulnerability in projectworlds Advanced Library Management System version 1.0, specifically within the /book_search.php endpoint. The vulnerability arises due to insufficient sanitization of user-supplied input parameters book_pub and book_title, which are directly incorporated into SQL queries without proper validation or parameterization. This allows a remote attacker to inject malicious SQL code, potentially enabling unauthorized access to the backend database, data exfiltration, or manipulation of stored data. The attack vector requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the ease of exploitation (network accessible, no privileges needed) but limited impact scope (low confidentiality, integrity, and availability impact). While no active exploitation has been reported, the public availability of exploit code raises the risk of future attacks. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet. The Advanced Library Management System is typically deployed in academic and public library environments, where sensitive patron and bibliographic data are stored. Exploitation could compromise personal information and disrupt library operations.

For European organizations, especially universities, public libraries, and research institutions using projectworlds Advanced Library Management System 1.0, this vulnerability poses a risk of unauthorized data disclosure and potential data integrity violations. Attackers could extract sensitive patron information, manipulate catalog data, or disrupt search functionality, impacting service availability. Such breaches could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. The medium severity indicates that while the vulnerability is exploitable remotely without authentication, the overall impact on confidentiality, integrity, and availability is limited but non-negligible. Given the critical role of library systems in academic and public sectors, any disruption or data compromise could affect operational continuity and trust. Additionally, the public release of exploit code increases the likelihood of opportunistic attacks targeting unpatched systems across Europe.

Organizations should immediately audit their deployments of projectworlds Advanced Library Management System to identify affected instances running version 1.0. In the absence of an official patch, administrators should implement strict input validation and sanitization on the book_pub and book_title parameters to prevent injection of malicious SQL code. Refactoring the application code to use parameterized queries or prepared statements is strongly recommended to eliminate injection vectors. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting the vulnerable endpoints. Regular monitoring of database logs for anomalous queries and unusual access patterns can help detect exploitation attempts early. Additionally, restricting database user privileges to the minimum necessary can limit the impact of a successful injection. Organizations should also plan to upgrade to a patched version once available and conduct security awareness training for developers to prevent similar vulnerabilities.