CVE-2025-13278 is a SQL injection vulnerability identified in version 1.0 of projectworlds Advanced Library Management System, specifically within the /borrowed_book_search.php script. The vulnerability arises due to insufficient sanitization or validation of the datefrom and dateto input parameters, which are used in SQL queries to filter borrowed book records. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This could lead to unauthorized data disclosure, modification, or deletion. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality, integrity, and availability. Despite the moderate impact, the exploitability is straightforward due to lack of authentication and user interaction requirements. No official patches or mitigations have been published yet, and no exploits have been observed in the wild, but public disclosure increases the risk of exploitation by attackers targeting library management systems.

The primary impact of this vulnerability is unauthorized access to the database of the Advanced Library Management System, which may contain sensitive user data such as borrower information, book inventories, and transaction histories. Attackers could extract confidential data, alter records, or delete entries, disrupting library operations and compromising data integrity. This could lead to privacy violations, loss of trust, and operational downtime. Since the system is used in educational and public library environments, the impact extends to students, faculty, and library patrons. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks if the software is deployed in multiple institutions without mitigation. However, the limited market penetration of this specific product and the moderate CVSS score suggest the overall global impact is contained but still significant for affected organizations.

Organizations using projectworlds Advanced Library Management System version 1.0 should immediately audit their deployments for the presence of the vulnerable /borrowed_book_search.php endpoint. Until an official patch is released, implement the following mitigations: 1) Apply input validation and sanitization on the datefrom and dateto parameters to reject or escape malicious SQL syntax; 2) Employ Web Application Firewalls (WAFs) with rules targeting SQL injection patterns on these parameters; 3) Restrict network access to the application to trusted IP ranges where possible; 4) Monitor logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint; 5) Consider isolating the database with least privilege access controls to limit damage if exploited; 6) Engage with the vendor for patch release timelines and apply updates promptly once available. Avoid exposing the management system directly to the internet without protective controls.