CVE-2025-13255 is a SQL injection vulnerability identified in projectworlds Advanced Library Management System version 1.0, specifically within the /book_search.php endpoint. The vulnerability arises from improper sanitization or validation of user-supplied input in the parameters book_pub and book_title, which are used in SQL queries. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit has been publicly disclosed, which increases the likelihood of exploitation attempts. However, no confirmed active exploitation in the wild has been reported yet. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked in the provided data. This flaw could allow attackers to extract sensitive data, modify records, or disrupt library management operations by executing arbitrary SQL commands. Given the nature of library management systems, the exposure of patron data, book inventories, and transaction records could have privacy and operational consequences.

The SQL injection vulnerability could lead to unauthorized disclosure of sensitive data stored in the library management system's database, including user information, borrowing records, and inventory details. Attackers might also modify or delete data, undermining data integrity and disrupting library operations. Although the impact on availability is rated low, successful exploitation could cause denial of service through database corruption or query manipulation. The remote and unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially since the exploit code is publicly available. Organizations relying on this system could face data breaches, loss of trust from patrons, and operational downtime. Additionally, if the compromised system is connected to broader institutional networks, attackers might leverage this foothold for lateral movement or further attacks. The medium CVSS score reflects moderate risk, but the public exploit disclosure necessitates prompt attention to prevent escalation.

Since no official patches are currently linked, organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on the book_pub and book_title parameters to block malicious SQL payloads. Employ parameterized queries or prepared statements in the application code to prevent injection. If source code modification is not feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Monitor web server and database logs for suspicious query patterns or repeated access to /book_search.php with unusual inputs. Restrict database user privileges to the minimum necessary to limit the impact of potential injection. Conduct thorough security testing and code reviews of the affected module. Plan to upgrade to a patched version once available from the vendor. Additionally, educate staff about the vulnerability and ensure incident response plans are ready in case of exploitation.