CVE-2025-13572 identifies a SQL injection vulnerability in projectworlds Advanced Library Management System version 1.0. The vulnerability resides in the /delete_admin.php script, where the admin_id parameter is improperly sanitized, allowing an attacker to inject arbitrary SQL commands. This injection can be exploited remotely without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the backend database by enabling unauthorized data access, modification, or deletion. The CVSS score of 6.9 (medium severity) reflects the moderate impact and ease of exploitation. Although no active exploitation in the wild has been reported, a public exploit is available, increasing the likelihood of future attacks. The vulnerability affects only version 1.0 of the software, and no official patches have been released yet. The Advanced Library Management System is typically deployed in educational institutions and libraries, which may store sensitive user and administrative data. The lack of authentication requirement and the remote attack vector make this vulnerability particularly concerning for organizations relying on this software without additional network protections.

For European organizations, especially educational institutions and public libraries using projectworlds Advanced Library Management System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive administrative data, manipulation or deletion of records, and potential disruption of library services. This could undermine trust, violate data protection regulations such as GDPR, and cause operational downtime. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it from outside the network, increasing exposure. The availability of a public exploit further elevates the risk of targeted attacks or opportunistic scanning. Organizations with limited IT security resources or outdated software maintenance practices are particularly vulnerable. The impact extends beyond data loss to potential reputational damage and regulatory penalties in Europe.

Immediate mitigation steps include implementing strict input validation and parameterized queries or prepared statements for the admin_id parameter to prevent SQL injection. Until an official patch is released, organizations should restrict access to the /delete_admin.php endpoint using network-level controls such as firewalls or VPNs to limit exposure. Monitoring database logs and web application logs for suspicious queries or unusual activity related to admin_id can help detect exploitation attempts. Employing web application firewalls (WAFs) with SQL injection detection rules can provide an additional layer of defense. Organizations should also conduct a thorough audit of their Advanced Library Management System deployments to identify affected instances and prioritize remediation. Planning for an upgrade to a patched version or alternative software is advisable. Finally, educating administrators about the risks and signs of exploitation can improve incident response readiness.