Platform
php
Component
wegia
Fixed in
3.4.4
CVE-2025-53529 describes a critical SQL Injection vulnerability discovered in WeGIA, a web manager for charitable institutions. This flaw allows an unauthenticated attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions of WeGIA up to and including 3.4.3, and a patch is available in version 3.4.3.
The SQL Injection vulnerability in WeGIA's /html/funcionario/profile_funcionario.php endpoint poses a significant risk. An attacker can exploit this flaw to bypass authentication and directly manipulate the database. This could result in the exfiltration of sensitive data such as donor information, financial records, and user credentials. Furthermore, an attacker might be able to modify or delete data, disrupt operations, or even gain control of the entire system. The lack of authentication required to exploit the vulnerability amplifies the potential impact, as any external user can attempt to leverage it.
CVE-2025-53529 was publicly disclosed on 2025-07-07. As of this date, there are no known public proof-of-concept exploits available. The vulnerability's critical CVSS score (9.8) and ease of exploitation suggest a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-53529 is to immediately upgrade WeGIA to version 3.4.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter malicious SQL injection attempts targeting the /html/funcionario/profilefuncionario.php endpoint, specifically focusing on the idfuncionario parameter. Input validation on the server-side, even as a temporary measure, can help prevent malicious SQL commands from being executed. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the /html/funcionario/profile_funcionario.php endpoint with a known malicious payload.
Update WeGIA to version 3.4.3 or higher. This version fixes the SQL Injection (SQL Injection) vulnerability. Download the latest version from the vendor's official website or through the provided update channels.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53529 is a critical SQL Injection vulnerability affecting WeGIA versions up to 3.4.3. It allows unauthenticated attackers to inject malicious SQL commands through the id_funcionario parameter.
You are affected if you are using WeGIA version 3.4.3 or earlier. Immediately assess your environment and apply the necessary mitigation steps.
The recommended fix is to upgrade WeGIA to version 3.4.3 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL injection attempts.
As of 2025-07-07, there are no confirmed reports of active exploitation, but the vulnerability's severity and ease of exploitation suggest a high potential for future attacks.
Refer to the official WeGIA website or their security advisory page for the latest information and updates regarding CVE-2025-53529.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.