CVE-2025-13573 is a vulnerability identified in projectworlds version 1.0, specifically in the /add_book.php file, where the image parameter is improperly validated, allowing unrestricted file uploads. This flaw permits remote attackers to upload arbitrary files, potentially containing malicious payloads, without requiring authentication or user interaction. The vulnerability arises due to insufficient input validation and lack of proper access controls on the upload functionality. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges required, but with limited impact on confidentiality, integrity, and availability. The vulnerability could be exploited to execute arbitrary code, upload web shells, or introduce malware, leading to partial system compromise. Although no exploits are currently known in the wild, the public release of exploit code increases the likelihood of exploitation. The vulnerability affects only version 1.0 of projectworlds, and no official patches or updates have been linked yet. The unrestricted upload vulnerability is a common attack vector for web applications, often leading to severe consequences if exploited. Organizations using projectworlds 1.0 should urgently assess their exposure and implement mitigations to prevent exploitation.

For European organizations, exploitation of CVE-2025-13573 could result in unauthorized remote code execution, data breaches, defacement, or disruption of services. Confidentiality may be compromised if attackers gain access to sensitive data through uploaded malicious files. Integrity could be affected by unauthorized modification or insertion of malicious content. Availability might be impacted if attackers deploy ransomware or cause denial-of-service conditions. Given the public availability of exploit code, the risk of automated or opportunistic attacks is elevated. Organizations in sectors such as government, finance, healthcare, and critical infrastructure are particularly at risk due to the potential for targeted exploitation and the sensitive nature of their data. The medium severity suggests that while the impact is significant, it may not lead to full system compromise without additional vulnerabilities or misconfigurations. However, the ease of exploitation and remote attack vector necessitate prompt attention to prevent lateral movement or escalation within networks.

1. Immediately restrict file upload types on the /add_book.php endpoint to allow only safe, expected image formats (e.g., JPEG, PNG) and reject all others. 2. Implement robust server-side validation of uploaded files, including MIME type checks, file extension verification, and content inspection to detect malicious payloads. 3. Employ file upload size limits and scan uploaded files with antivirus or malware detection tools before processing or storage. 4. Isolate uploaded files in non-executable directories and disable execution permissions to prevent execution of malicious code. 5. Monitor web server logs and application logs for unusual upload activity or access patterns indicative of exploitation attempts. 6. If possible, apply virtual patching via web application firewalls (WAFs) to block suspicious upload requests targeting the image parameter. 7. Engage with the vendor or community for official patches or updates and plan for timely deployment once available. 8. Conduct security awareness training for developers and administrators on secure file upload practices. 9. Review and tighten access controls around the upload functionality to limit exposure. 10. Regularly audit and update the projectworlds installation to newer, secure versions when released.