CVE-2025-13572 identifies a SQL injection vulnerability in projectworlds Advanced Library Management System version 1.0, specifically within the /delete_admin.php file. The vulnerability arises due to insufficient input validation or sanitization of the admin_id parameter, which is directly incorporated into SQL queries without proper escaping or use of prepared statements. This allows a remote attacker to craft malicious input that alters the intended SQL command, potentially leading to unauthorized data access, modification, or deletion within the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of exploitation (network vector, low attack complexity) and the partial impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the availability of public exploit code lowers the barrier for attackers. The affected product is a niche library management system, which may be deployed in academic, public, or private libraries. The vulnerability could allow attackers to delete or modify administrative accounts or other sensitive data, potentially disrupting library operations or exposing confidential information. No official patches have been linked yet, so mitigation currently relies on secure coding practices and network defenses.

For European organizations, particularly educational institutions, public libraries, and private entities using projectworlds Advanced Library Management System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to administrative functions, data leakage of patron or staff information, and disruption of library services. The integrity of administrative controls could be compromised, allowing attackers to escalate privileges or manipulate system configurations. Availability may also be affected if attackers delete critical records or cause database corruption. Given the remote and unauthenticated nature of the exploit, attackers can operate from outside the network perimeter, increasing exposure. The impact is heightened in countries with widespread adoption of this software or where libraries hold sensitive personal or research data. Additionally, disruption of library services could affect academic research and public access to information, with broader societal implications.

Organizations should immediately inventory their environments to identify any deployments of projectworlds Advanced Library Management System version 1.0. Until an official patch is released, implement strict input validation on the admin_id parameter, enforcing numeric-only or whitelist-based filtering to prevent injection. Refactor the code to use parameterized queries or prepared statements to eliminate direct SQL concatenation. Employ web application firewalls (WAFs) with rules targeting SQL injection patterns to detect and block malicious requests. Monitor database logs and application logs for unusual query patterns or repeated failed attempts to delete admin accounts. Restrict network access to the management interface to trusted IP addresses where feasible. Conduct regular backups of the database to enable recovery in case of data manipulation or deletion. Once available, promptly apply vendor patches and verify their effectiveness through penetration testing. Educate administrators about the risks and signs of exploitation to improve incident response readiness.