CVE-2025-13278 Overview
CVE-2025-13278 is a SQL injection vulnerability in Projectworlds Advanced Library Management System 1.0. The flaw resides in the /borrowed_book_search.php script, where the datefrom and dateto parameters are passed into a database query without proper sanitization. Remote attackers holding low-privileged credentials can manipulate these parameters to inject arbitrary SQL statements. The issue is tracked under CWE-89 (SQL Injection) and CWE-74 (Injection). Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed installations.
Critical Impact
Authenticated remote attackers can inject SQL queries through the datefrom and dateto parameters, potentially exposing or modifying library database records.
Affected Products
- Projectworlds Advanced Library Management System 1.0
- Deployments exposing /borrowed_book_search.php to network-reachable users
- Installations using the unpatched upstream codebase from Projectworlds
Discovery Timeline
- 2025-11-17 - CVE-2025-13278 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-13278
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw in the borrowed book search functionality. The /borrowed_book_search.php endpoint accepts two user-supplied date parameters, datefrom and dateto, and concatenates them directly into a SQL query. Because the application does not use parameterized queries or sanitize the input, attackers can break out of the intended SQL context and inject arbitrary clauses. The attack is launched remotely over the network and requires low-level privileges, meaning a valid but unprivileged account is sufficient. Public disclosure of exploitation details lowers the technical barrier for opportunistic attackers scanning for vulnerable instances.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The PHP code path handling /borrowed_book_search.php interpolates the datefrom and dateto request arguments into the query string passed to the MySQL backend. Without prepared statements, type casting, or input validation, attacker-controlled characters such as single quotes, UNION, or boolean operators alter the query's logic and structure.
Attack Vector
Exploitation is performed over HTTP against an authenticated session on the library application. An attacker submits crafted values in either the datefrom or dateto parameter through the borrowed book search interface. Successful injection allows enumeration of database schema, extraction of book records and user data, and potentially modification of stored data depending on the privileges of the database user configured in the application.
The vulnerability manifests when unsanitized input from datefrom and dateto reaches the SQL query in /borrowed_book_search.php. Refer to the GitHub CVE Analysis Report and VulDB entry #332613 for the disclosed technical details.
Detection Methods for CVE-2025-13278
Indicators of Compromise
- HTTP requests to /borrowed_book_search.php containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP( in the datefrom or dateto parameters
- Unusually long or URL-encoded values in date parameters that should normally match YYYY-MM-DD format
- Web server access logs showing repeated requests to the borrowed book search endpoint from a single source
- Database error messages or 500 responses correlating with malformed date inputs
Detection Strategies
- Deploy web application firewall (WAF) rules that block SQL injection patterns specifically on the datefrom and dateto parameters
- Inspect PHP and MySQL query logs for unexpected query structures originating from borrowed_book_search.php
- Validate that date parameters strictly match a date format at the application or proxy layer and alert on deviations
Monitoring Recommendations
- Enable verbose query logging on the backend database to flag anomalous SELECT patterns referencing system tables such as information_schema
- Correlate authentication events with subsequent search activity to identify accounts probing the endpoint
- Track 4xx and 5xx response spikes on the library application as a proxy for injection probing attempts
How to Mitigate CVE-2025-13278
Immediate Actions Required
- Restrict network access to the library application to trusted users and internal networks until a fix is applied
- Disable or remove the /borrowed_book_search.php endpoint if it is not in active use
- Audit application accounts and rotate credentials for users who could reach the vulnerable endpoint
Patch Information
No vendor advisory or official patch has been published by Projectworlds at the time of NVD publication. Operators should monitor the Projectworlds website for updates and apply any released fixes immediately. In the interim, modify the source of /borrowed_book_search.php to use prepared statements with bound parameters for the datefrom and dateto values, and enforce strict server-side date format validation before any database interaction.
Workarounds
- Place the application behind a WAF configured to filter SQL injection payloads on date-typed query parameters
- Modify the PHP source to validate datefrom and dateto against a strict YYYY-MM-DD regular expression before query execution
- Replace string concatenation in the affected query with PDO or MySQLi prepared statements using typed bindings
- Run the application's database account with the minimum privileges required, removing write or schema access where possible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

