CVE-2025-13396 identifies a SQL injection vulnerability in the Courier Management System version 1.0 developed by code-projects. The vulnerability resides in the /add-office.php script, specifically in the handling of the OfficeName parameter. Due to insufficient input validation and lack of parameterized queries, an attacker can craft malicious SQL payloads that manipulate the backend database queries. This flaw can be exploited remotely without user interaction and requires only low-level privileges, making it relatively easy to exploit. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the limited scope of impact and the requirement for some privileges. The vulnerability can lead to unauthorized disclosure, alteration, or deletion of data stored in the database, potentially compromising the confidentiality, integrity, and availability of the system. Although no active exploitation has been reported, the availability of a public exploit increases the likelihood of attacks. The Courier Management System is typically used by logistics and courier companies to manage office locations and operations, making this vulnerability critical for business continuity and data protection. The lack of patches or official remediation heightens the urgency for organizations to implement custom mitigations and monitoring.

For European organizations, especially those in the logistics and courier sectors relying on the affected Courier Management System 1.0, this vulnerability poses a risk of data breaches involving sensitive operational data. Attackers exploiting this SQL injection could extract customer information, manipulate shipment records, or disrupt office management functions, leading to operational downtime and reputational damage. The impact extends to compliance risks under GDPR due to potential unauthorized access to personal data. Additionally, disruption in courier operations could affect supply chains and delivery services critical to European economies. The medium severity indicates moderate but tangible risks, particularly for organizations without robust network segmentation or monitoring. Since the exploit requires low privileges but no user interaction, insider threats or compromised accounts could be leveraged to escalate attacks. The absence of patches means organizations must rely on compensating controls to mitigate risk until an official fix is released.

1. Immediately implement strict input validation and sanitization on the OfficeName parameter in /add-office.php to prevent malicious SQL code injection. 2. Refactor the vulnerable code to use parameterized queries or prepared statements to eliminate direct concatenation of user inputs into SQL commands. 3. Restrict access to the /add-office.php endpoint to trusted internal networks or authenticated users with appropriate privileges. 4. Monitor database logs and web server access logs for unusual query patterns or repeated failed attempts indicative of SQL injection attempts. 5. Employ Web Application Firewalls (WAFs) with rules targeting SQL injection signatures to provide an additional layer of defense. 6. Conduct a thorough security audit of the entire Courier Management System to identify and remediate other potential injection points. 7. Educate developers and administrators on secure coding practices and the importance of timely patching once an official update is available. 8. Consider network segmentation to isolate critical courier management systems from broader enterprise networks to limit attack surface. 9. Backup databases regularly and verify restoration procedures to minimize impact in case of data corruption or deletion.