CVE-2025-13255 identifies a SQL injection vulnerability in the Advanced Library Management System (ALMS) version 1.0 developed by projectworlds. The vulnerability exists in the /book_search.php script, where the parameters book_pub and book_title are improperly sanitized before being incorporated into SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the database queries executed by the system. The attack vector is network accessible, requiring no authentication or user interaction, which increases the risk of exploitation. The CVSS 4.0 vector indicates low complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability and exploit code availability heighten the risk of future attacks. The vulnerability could allow attackers to extract sensitive data such as user information, library records, or modify/delete database entries, potentially disrupting library operations. The lack of available patches necessitates immediate mitigation efforts. The vulnerability is particularly relevant for organizations relying on this specific version of ALMS, which is likely deployed in academic, public, and research libraries. Given the nature of the system, the impact on data confidentiality and integrity could affect user privacy and operational continuity.

For European organizations, especially educational institutions, public libraries, and research centers using projectworlds Advanced Library Management System 1.0, this vulnerability poses a risk of unauthorized data disclosure and data manipulation. Compromise of library databases could lead to exposure of patron information, borrowing records, and internal catalog data, undermining user privacy and trust. Integrity violations could disrupt library services by corrupting or deleting records, impacting availability and operational continuity. The medium CVSS score reflects moderate risk; however, the ease of remote exploitation without authentication increases the urgency. Organizations in Europe with limited cybersecurity resources or lacking timely patch management processes are particularly vulnerable. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to compliance violations and reputational damage. The impact is somewhat limited by the niche deployment of the affected product but remains significant for affected entities.

1. Immediate implementation of input validation and sanitization for all user-supplied parameters, especially book_pub and book_title, to prevent injection of malicious SQL code. 2. Refactor the application code to use parameterized queries or prepared statements, eliminating direct concatenation of user inputs into SQL commands. 3. Restrict network access to the /book_search.php endpoint using firewalls or web application firewalls (WAFs) to limit exposure to trusted IP ranges where feasible. 4. Monitor logs for unusual query patterns or error messages indicative of SQL injection attempts. 5. Conduct a thorough code audit of the entire application to identify and remediate any additional injection points. 6. Engage with the vendor or community to obtain or develop official patches or updates addressing this vulnerability. 7. Educate system administrators and developers on secure coding practices to prevent similar vulnerabilities. 8. Implement database-level protections such as least privilege access for the application database user to minimize damage in case of exploitation. 9. Consider deploying runtime application self-protection (RASP) tools to detect and block injection attacks in real time. 10. Prepare an incident response plan tailored to potential data breaches resulting from exploitation of this vulnerability.