CVE-2025-13573 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2025-13573?

CVE-2025-13573 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows remote attackers to upload malicious files via the /add_book.php endpoint in projectworlds can pass software up to version 1.0. Attackers can exploit this unrestricted file upload flaw to potentially execute arbitrary code on affected systems. Any system running vulnerable versions with the /add_book.php endpoint accessible is at risk.

📋 TL;DR

This vulnerability allows remote attackers to upload malicious files via the /add_book.php endpoint in projectworlds can pass software up to version 1.0. Attackers can exploit this unrestricted file upload flaw to potentially execute arbitrary code on affected systems. Any system running vulnerable versions with the /add_book.php endpoint accessible is at risk.

💻 Affected Systems

Products:

projectworlds can pass

Versions: Up to and including 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires /add_book.php endpoint to be accessible and functional

📦 What is this software?

Advanced Library Management System by Projectworlds

View all CVEs affecting Advanced Library Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network

🟠

Likely Case

Webshell deployment allowing persistent backdoor access, file system manipulation, and potential data exfiltration

🟢

If Mitigated

Limited impact with proper file upload restrictions, web application firewalls, and network segmentation in place

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing systems prime targets

🏢 Internal Only: MEDIUM - Internal systems remain vulnerable but require initial network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub, simple file upload manipulation required

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider removing or replacing vulnerable software.

🔧 Temporary Workarounds

Restrict file uploads

all

Implement strict file type validation and size limits for uploads

# In PHP configuration or application code
# Example: Restrict to specific file types
$allowed_types = ['jpg', 'png', 'gif'];
$file_extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_types)) {
    die('Invalid file type');
}

Disable vulnerable endpoint

linux

Remove or restrict access to /add_book.php

# Apache .htaccess
RewriteRule ^add_book\.php$ - [F,L]

# Nginx configuration
location ~ /add_book\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious file uploads
Isolate affected systems in segmented network zones with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a file with malicious extension to /add_book.php endpoint and check if it's accepted

Check Version:

Check software version in configuration files or admin interface

Verify Fix Applied:

Test file upload with restricted types and verify proper validation is enforced

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /add_book.php
Uploads of non-image file types
Large number of upload requests

Network Indicators:

POST requests to /add_book.php with executable file extensions
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND uri="/add_book.php" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2025-13573

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: November 24, 2025

Last Updated: December 2, 2025

🔗 References

https://github.com/GYSakura/tmp75/blob/main/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.333337 Permissions Required,VDB Entry
https://vuldb.com/?id.333337 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.698646 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13573, you might also want to check these: