Cybersecurity Vulnerabilities

CVE-2025-13573: Projectworlds Unrestricted File Upload – Critical Security Alert!

November 24, 2025 - By 

Overview

CVE-2025-13573 is a medium-severity security vulnerability affecting Projectworlds’ software, specifically versions up to 1.0. The vulnerability resides within the /add_book.php file and allows for unrestricted file uploads through manipulation of the image argument. This flaw enables remote attackers to upload arbitrary files, potentially leading to code execution, server compromise, or data breaches. The exploit has been publicly released, increasing the risk of exploitation.

Technical Details

The vulnerability stems from insufficient validation of the image argument in the /add_book.php script. Lack of proper file type checking, size limitations, or content sanitization allows an attacker to bypass intended security measures. An attacker can upload malicious files, such as PHP scripts, which can then be executed on the server. This unrestricted upload capability provides a direct pathway for compromising the system.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13573 a score of 6.3, indicating a MEDIUM severity. This score reflects the potential for remote exploitation and the impact on confidentiality, integrity, and availability.

  • Base Score: 6.3
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: Low (C:L)
  • Integrity Impact: Low (I:L)
  • Availability Impact: Low (A:L)

Possible Impact

Successful exploitation of CVE-2025-13573 can have several significant consequences:

  • Remote Code Execution (RCE): Uploaded malicious scripts (e.g., PHP) can be executed on the server, granting the attacker control over the system.
  • Server Compromise: An attacker can gain full access to the server, leading to data theft, defacement, or use as a platform for further attacks.
  • Data Breach: Sensitive data stored on the server could be accessed and stolen by the attacker.
  • Denial of Service (DoS): The attacker could upload files that consume excessive resources, leading to a denial of service for legitimate users.

Mitigation and Patch Steps

To mitigate the risk posed by CVE-2025-13573, the following steps are recommended:

  1. Apply the Patch (if available): Check the Projectworlds website or relevant repositories for a security patch addressing this vulnerability. Upgrade to the latest version of the software as soon as possible.
  2. Implement File Type Validation: Implement strict file type validation on the server-side. Only allow specific file types (e.g., JPG, PNG) that are necessary for the application’s functionality.
  3. Enforce File Size Limits: Set reasonable file size limits to prevent attackers from uploading excessively large files that could consume server resources.
  4. Sanitize File Names: Sanitize uploaded file names to prevent path traversal attacks or the execution of unintended code.
  5. Use a Web Application Firewall (WAF): Deploy a WAF to detect and block malicious file upload attempts.
  6. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

References

GitHub Report
VulDB – CVE-2025-13573
VulDB ID: 333337
VulDB Submit Link

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *