CVE-2025-13560 is a SQL injection vulnerability identified in SourceCodester Company Website CMS version 1.0, specifically affecting the /admin/reset-password.php script. The vulnerability stems from improper handling of the 'email' parameter, which is susceptible to SQL injection attacks due to lack of adequate input sanitization or use of parameterized queries. An attacker can remotely exploit this flaw without requiring authentication or user interaction, by crafting malicious input that alters the intended SQL query logic. This can lead to unauthorized access to sensitive data stored in the CMS database, including user credentials or other confidential information, and potentially allow modification or deletion of data. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with network attack vector, low complexity, and no privileges or user interaction needed. Although no exploits have been observed in the wild yet, the public availability of exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the CMS, and no official patches have been linked yet. The threat is particularly relevant for organizations using this CMS for their corporate websites, especially if the admin interface is exposed to the internet. Attackers could leverage this vulnerability to compromise the website’s backend database, potentially leading to data breaches or website defacement. The lack of authentication requirement and ease of exploitation make this a notable risk for affected deployments.

For European organizations using SourceCodester Company Website CMS 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their website data. Exploitation could lead to unauthorized disclosure of sensitive information such as user credentials, company data, or customer information. Data integrity could be compromised if attackers modify or delete database records, potentially disrupting business operations or damaging reputation. Availability could also be impacted if attackers execute destructive queries or cause database errors. Given the remote and unauthenticated nature of the exploit, any publicly accessible admin reset-password endpoint increases exposure. SMEs and companies relying on this CMS for their online presence are particularly vulnerable, as they may lack dedicated security resources. The public release of exploit code raises the likelihood of opportunistic attacks, increasing the urgency for mitigation. Additionally, compromised websites could be used as a foothold for further attacks or to distribute malware, amplifying the threat impact.

1. Immediately implement input validation and sanitization on the 'email' parameter in /admin/reset-password.php to prevent SQL injection. 2. Refactor the code to use parameterized queries or prepared statements for all database interactions involving user input. 3. Restrict access to the reset-password functionality by limiting it to trusted IP addresses or requiring authentication where feasible. 4. Monitor web server and application logs for suspicious activity targeting the reset-password endpoint. 5. If possible, upgrade to a patched version of the CMS once available or apply vendor-provided patches promptly. 6. Employ Web Application Firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. 7. Conduct a thorough security audit of the CMS installation to identify and remediate any other potential vulnerabilities. 8. Educate administrators about the risks of exposing admin interfaces publicly and encourage best practices for secure deployment. 9. Backup the CMS database regularly to enable recovery in case of compromise. 10. Consider migrating to more secure and actively maintained CMS platforms if feasible.