The vulnerability identified as CVE-2025-13572 affects projectworlds Advanced Library Management System version 1.0. It is a SQL Injection flaw located in the /delete_admin.php script, where the admin_id parameter is improperly sanitized. This allows an unauthenticated remote attacker to inject arbitrary SQL commands directly into the backend database query. The injection can lead to unauthorized data access, modification, or deletion, impacting the confidentiality, integrity, and availability of the system's data. The vulnerability requires no privileges or user interaction, making it easier to exploit remotely. The CVSS 4.0 score of 6.9 reflects a medium severity level, considering the ease of exploitation and potential impact. Although no active exploitation in the wild is currently reported, a public exploit is available, increasing the likelihood of attacks. The affected product is a specialized library management system, which may limit the number of vulnerable targets but still presents a significant risk to institutions relying on this software for administrative tasks. The lack of official patches or vendor advisories necessitates immediate mitigation efforts by users. The vulnerability highlights the critical need for secure coding practices, particularly input validation and the use of parameterized queries to prevent SQL Injection attacks.

The impact of CVE-2025-13572 can be significant for organizations using the affected library management system. Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized disclosure of sensitive data such as user credentials, administrative information, and library records. Attackers could also modify or delete critical data, disrupting library operations and causing data integrity issues. The availability of the system could be compromised if attackers delete or corrupt essential database tables. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker aware of the system's presence. This increases the risk of automated scanning and exploitation attempts. Organizations may face reputational damage, regulatory penalties, and operational downtime if the vulnerability is exploited. The presence of a public exploit further elevates the threat level, as it lowers the barrier for attackers to launch attacks. However, the niche nature of the affected software limits the global scale of impact compared to more widely deployed products.

To mitigate CVE-2025-13572, organizations should immediately review and update the /delete_admin.php script to implement strict input validation and sanitization for the admin_id parameter. The preferred approach is to use parameterized queries or prepared statements to prevent SQL Injection. If source code modification is not immediately possible, organizations should restrict access to the affected endpoint by implementing network-level controls such as IP whitelisting or VPN access for administrative functions. Monitoring web server and database logs for suspicious queries or repeated access attempts to /delete_admin.php can help detect exploitation attempts early. Organizations should also conduct a thorough security audit of the entire application to identify and remediate any other injection points. Where possible, upgrading to a newer, patched version of the software is recommended once available. Additionally, applying web application firewalls (WAFs) with SQL Injection detection rules can provide an additional layer of defense. Regular backups of the database should be maintained to enable recovery in case of data corruption or deletion.