CVE-2025-13278 identifies a SQL injection vulnerability in projectworlds Advanced Library Management System version 1.0, specifically within the /borrowed_book_search.php script. The vulnerability arises from improper sanitization of the datefrom and dateto parameters, which are used to filter borrowed book records. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability does not require user interaction and can be exploited with low privileges, indicating that an authenticated user with minimal access could launch the attack. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The lack of available patches necessitates immediate mitigation efforts by affected organizations. The vulnerability could allow attackers to extract sensitive data, modify records, or disrupt library management operations, which could have broader implications for data privacy and operational continuity.

For European organizations, particularly public and academic libraries using projectworlds Advanced Library Management System 1.0, this vulnerability poses a risk of unauthorized data exposure and potential data manipulation. Confidential patron information, borrowing histories, and other sensitive records could be accessed or altered, undermining user privacy and trust. Integrity of library records may be compromised, affecting operational reliability. Although the vulnerability has a medium severity score, the impact on organizations handling large volumes of personal data under GDPR could be significant, potentially leading to regulatory penalties if data breaches occur. The remote exploitability and lack of required user interaction increase the risk of automated attacks. Disruption of library services could also affect educational and research institutions relying on these systems, impacting broader societal functions.

Organizations should immediately audit their use of projectworlds Advanced Library Management System version 1.0 and restrict access to the /borrowed_book_search.php endpoint. Implementing strict input validation and sanitization for the datefrom and dateto parameters is critical. Employ parameterized queries or prepared statements to prevent SQL injection. Database user permissions should be minimized to limit the scope of potential damage. Network-level controls such as web application firewalls (WAFs) can help detect and block injection attempts. Monitoring logs for unusual query patterns or failed injection attempts is advised. Until an official patch is released, consider isolating the affected system or restricting access to trusted users only. Regular backups of the database should be maintained to enable recovery in case of data tampering. Finally, organizations should stay alert for updates from the vendor and apply patches promptly once available.