CVE-2025-13255 – This SQL injection vulnerability in Advanced Li... (How to Fix)

Q: What is the severity of CVE-2025-13255?

CVE-2025-13255 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Advanced Library Management System 1.0 allows attackers to manipulate database queries through the book_search.php endpoint. Remote attackers can potentially access, modify, or delete library database content. All systems running the vulnerable version are affected.

📋 TL;DR

This SQL injection vulnerability in Advanced Library Management System 1.0 allows attackers to manipulate database queries through the book_search.php endpoint. Remote attackers can potentially access, modify, or delete library database content. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:

Advanced Library Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the book_search.php endpoint specifically

📦 What is this software?

Advanced Library Management System by Projectworlds

View all CVEs affecting Advanced Library Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, or potential server takeover via SQL injection chaining

🟠

Likely Case

Unauthorized data access and extraction from the library database

🟢

If Mitigated

Limited impact with proper input validation and database permissions

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and attack requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to book_search.php to sanitize book_pub and book_title inputs

Modify book_search.php to implement prepared statements or parameterized queries

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Configure WAF to block SQL injection patterns targeting book_search.php

🧯 If You Can't Patch

Isolate the system from internet access
Implement strict network segmentation and access controls

🔍 How to Verify

Check if Vulnerable:

Test book_search.php endpoint with SQL injection payloads in book_pub or book_title parameters

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web logs
Multiple rapid requests to book_search.php with special characters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in book_pub/book_title parameters

SIEM Query:

web_logs WHERE url LIKE '%book_search.php%' AND (params CONTAINS 'UNION' OR params CONTAINS 'SELECT' OR params CONTAINS '--')

📊 Metadata

CVE ID: CVE-2025-13255

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: November 17, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/Wyg2002yx/cve/blob/main/003/report.md Exploit,Third Party Advisory
https://github.com/Wyg2002yx/cve/blob/main/004/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.332590 Permissions Required,VDB Entry
https://vuldb.com/?id.332590 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.687855 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.687857 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13255, you might also want to check these: