CVE-2025-13468 identifies a missing authorization vulnerability in SourceCodester Alumni Management System version 1.0. The flaw exists in the delete handler functions (delete_forum, delete_career, delete_comment, delete_gallery, delete_event) located in the admin/admin_class.php file. These functions fail to properly verify whether the user initiating the delete request has the necessary permissions. By manipulating the ID parameter remotely, an attacker can delete various types of data entries without authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed. The impact includes unauthorized data deletion, which compromises data integrity and availability, and may indirectly affect confidentiality if sensitive data is removed or altered. Although no active exploits are reported in the wild, public exploit code availability increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is used primarily by educational institutions and alumni organizations to manage community data. The lack of authorization checks in critical delete functions represents a significant security oversight that could disrupt organizational operations and damage trust in the system.

For European organizations, particularly educational institutions and alumni associations using SourceCodester Alumni Management System 1.0, this vulnerability poses a risk of unauthorized data deletion. This can lead to loss of important community data such as forum discussions, career postings, event information, and user comments, impacting operational continuity and user trust. The integrity and availability of data are directly threatened, potentially causing reputational damage and administrative burdens to restore lost information. Since the attack can be launched remotely without authentication or user interaction, the threat surface is broad, increasing the likelihood of exploitation. Disruption of alumni and educational community platforms could also affect collaboration and communication within these organizations. The medium severity rating suggests moderate impact but ease of exploitation warrants prompt attention to prevent potential misuse.

To mitigate this vulnerability, organizations should immediately implement strict authorization checks on all delete operations within the admin/admin_class.php file, ensuring that only authenticated and authorized users can perform deletions. Code review and security testing should be conducted to verify that all sensitive functions enforce proper access controls. If possible, upgrade to a patched version of the software once available or apply vendor-provided patches. In the absence of patches, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious delete requests with manipulated ID parameters. Regularly monitor logs for unusual deletion activity and establish alerting mechanisms. Additionally, maintain regular backups of all critical data to enable recovery in case of unauthorized deletions. Educate administrative users about the risks and encourage strong credential management to reduce the risk of credential compromise.