CVE-2025-13396 identifies an SQL injection vulnerability in the code-projects Courier Management System version 1.0. The flaw exists in the /add-office.php script, where the OfficeName parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without authentication or user interaction, making it accessible to a wide range of attackers. The vulnerability can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive courier management data. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges or user interaction required. However, the impact on confidentiality, integrity, and availability is limited to low, indicating partial compromise rather than full system takeover. No official patches have been linked yet, but the presence of public exploit code increases the risk of exploitation. The vulnerability is significant for organizations relying on this system for managing courier offices, as it could expose operational data and customer information to attackers.

For European organizations, this vulnerability poses risks to the confidentiality and integrity of courier management data, including office locations, operational details, and potentially customer information. Exploitation could disrupt courier operations by altering or deleting critical data, leading to service delays or failures. Data breaches resulting from SQL injection could also lead to regulatory non-compliance under GDPR, resulting in financial penalties and reputational damage. Organizations in logistics, delivery services, and supply chain management that use the affected Courier Management System version 1.0 are particularly vulnerable. The medium severity rating suggests that while the threat is serious, it may not lead to full system compromise but could still cause significant operational and data security issues. The availability of public exploit code increases the likelihood of opportunistic attacks, especially from automated scanning tools targeting known vulnerabilities.

Organizations should immediately audit their use of the code-projects Courier Management System and confirm if version 1.0 is in use. If so, they should implement strict input validation and sanitization on the OfficeName parameter to prevent SQL injection. Employing parameterized queries or prepared statements in the /add-office.php script is critical to eliminate injection vectors. Monitoring and logging database queries for anomalous activity can help detect exploitation attempts early. If vendor patches or updates become available, they should be applied promptly. Network-level protections such as web application firewalls (WAFs) can be configured to block malicious SQL payloads targeting this endpoint. Additionally, restricting access to the management interface to trusted IPs or VPNs can reduce exposure. Regular security assessments and penetration testing should be conducted to ensure no other injection points exist. Finally, organizations should review their incident response plans to handle potential data breaches stemming from this vulnerability.