CVE-2025-27133: Wegia Wegia SQL Injection Vulnerability

CVE-2025-27133 Overview

CVE-2025-27133 is a SQL Injection vulnerability in WeGIA, an open-source web manager used by charitable institutions. The flaw affects all versions prior to 3.2.15 and resides in the adicionar_tipo_exame.php endpoint. An authenticated attacker can inject arbitrary SQL through the tipo_exame POST parameter, which is concatenated directly into an INSERT statement. Successful exploitation allows the attacker to read, modify, or exfiltrate sensitive records from the backing database. The maintainers released version 3.2.15 to address the issue. The vulnerability is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the WeGIA database, exposing personally identifiable information stored by charitable institutions.

Affected Products

WeGIA versions prior to 3.2.15
dao/pet/adicionar_tipo_exame.php endpoint
Deployments using the WeGIA pet management module

Discovery Timeline

2025-02-24 - CVE-2025-27133 published to NVD
2025-02-28 - Last updated in NVD database

Technical Details for CVE-2025-27133

Vulnerability Analysis

The vulnerability exists in the adicionar_tipo_exame.php script of the WeGIA pet examination management module. The script accepts a tipo_exame value from an HTTP POST request and concatenates it directly into a SQL INSERT statement executed through PDO. Because the input is neither parameterized nor validated, an attacker can break out of the string literal and append additional SQL syntax. Any user with authenticated access to the application can reach the endpoint, since the vulnerable version lacks both a session check and a permission validation step.

Root Cause

The root cause is unsanitized concatenation of user-controlled input into a SQL query string. The vulnerable code retrieves $_POST["tipo_exame"] and embeds it into INSERT INTO pet_tipo_exame(descricao_exame) values('...') before calling $pdo->query(). The script also omits authentication and authorization checks, exposing the injection point to any reachable user.

Attack Vector

The attack vector is network-based and requires low privileges. An authenticated attacker submits a crafted POST request to dao/pet/adicionar_tipo_exame.php with a malicious tipo_exame payload. The injected SQL executes under the privileges of the application's database user, granting read and write access to tables such as pet_tipo_exame and any others reachable through stacked queries or UNION-based extraction.

php

// Patch from commit 619ead748e18e685459c6dc3c226e621b9ff5403
<?php
session_start();

// verify permission
if(!isset($_SESSION['id_pessoa'])){
    http_response_code(403);
    exit('Usuário não autenticado');
}

require_once '../../html/permissao/permissao.php';
permissao($_SESSION['id_pessoa'], 6, 5);

require_once "../Conexao.php";
$pdo = Conexao::connect();

// Vulnerable code (removed):
// $tipo_exame = $_POST["tipo_exame"];
// $sql = "INSERT INTO pet_tipo_exame(descricao_exame) values('" .$tipo_exame ."')";
// $pdo->query($sql);

// Fixed code (added):
$tipo_exame = trim(filter_input(INPUT_POST, 'tipo_exame', FILTER_SANITIZE_STRING));
$sql = "INSERT INTO pet_tipo_exame(descricao_exame) values(:tipoExame)";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':tipoExame', $tipo_exame);
$stmt->execute();

Source: GitHub WeGIA Commit 619ead7. The patch introduces session validation, a permissao() permission check, input sanitization with filter_input, and a prepared statement using bound parameters.

Detection Methods for CVE-2025-27133

Indicators of Compromise

POST requests to /dao/pet/adicionar_tipo_exame.php containing SQL metacharacters such as single quotes, semicolons, UNION, SELECT, or comment sequences (--, /*) inside the tipo_exame parameter.
Unexpected rows in the pet_tipo_exame table containing SQL fragments rather than legitimate examination descriptions.
Database error log entries referencing syntax errors triggered by injected payloads from authenticated user sessions.

Detection Strategies

Inspect web server access logs for adicionar_tipo_exame.php requests originating from sessions that should not have administrative pet-management privileges.
Deploy a web application firewall (WAF) rule that flags SQL keywords and tautologies in the tipo_exame POST body.
Enable database query logging and alert on queries against pet_tipo_exame that include UNION operators or stacked statements.

Monitoring Recommendations

Monitor authenticated session activity for anomalous volumes of POST requests to WeGIA dao/ endpoints.
Track database account behavior for unusual SELECT queries originating from the PHP application user outside its normal pattern.
Correlate failed login attempts with subsequent endpoint access to identify credential stuffing followed by exploitation.

How to Mitigate CVE-2025-27133

Immediate Actions Required

Upgrade WeGIA to version 3.2.15 or later, which contains the official patch.
Restrict network access to the WeGIA application until the upgrade is complete, limiting reachability to trusted administrators.
Audit accounts with access to the pet management module and rotate credentials suspected of compromise.
Review the pet_tipo_exame table and related tables for unauthorized inserts or modifications.

Patch Information

The fix is included in WeGIA 3.2.15 and is implemented in commit 619ead748e18e685459c6dc3c226e621b9ff5403. The vendor advisory is published as GHSA-xj79-w799-qjcp. The patch replaces direct string concatenation with PDO prepared statements, adds filter_input sanitization, and enforces authentication and role-based authorization before executing the query.

Workarounds

If immediate upgrade is not possible, block public access to /dao/pet/adicionar_tipo_exame.php at the reverse proxy or WAF layer.
Apply a custom server-side filter that rejects tipo_exame values containing single quotes, semicolons, or SQL keywords.
Restrict the application database user to the minimum privileges required, removing DROP, ALTER, and cross-database SELECT rights.

bash

# Example WAF rule (ModSecurity) to block SQL metacharacters in tipo_exame
SecRule REQUEST_URI "@endsWith /dao/pet/adicionar_tipo_exame.php" \
    "phase:2,chain,deny,status:403,id:1027133,msg:'CVE-2025-27133 SQLi attempt'"
    SecRule ARGS:tipo_exame "@rx (?i)(\bunion\b|\bselect\b|--|;|/\*|')" "t:none"

CVE-2025-27133 Overview

Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the WeGIA database, exposing personally identifiable information stored by charitable institutions.

Affected Products

WeGIA versions prior to 3.2.15
dao/pet/adicionar_tipo_exame.php endpoint
Deployments using the WeGIA pet management module

Discovery Timeline

2025-02-24 - CVE-2025-27133 published to NVD
2025-02-28 - Last updated in NVD database

Technical Details for CVE-2025-27133

Vulnerability Analysis

Root Cause

Attack Vector

php

// Patch from commit 619ead748e18e685459c6dc3c226e621b9ff5403
<?php
session_start();

// verify permission
if(!isset($_SESSION['id_pessoa'])){
    http_response_code(403);
    exit('Usuário não autenticado');
}

require_once '../../html/permissao/permissao.php';
permissao($_SESSION['id_pessoa'], 6, 5);

require_once "../Conexao.php";
$pdo = Conexao::connect();

// Vulnerable code (removed):
// $tipo_exame = $_POST["tipo_exame"];
// $sql = "INSERT INTO pet_tipo_exame(descricao_exame) values('" .$tipo_exame ."')";
// $pdo->query($sql);

// Fixed code (added):
$tipo_exame = trim(filter_input(INPUT_POST, 'tipo_exame', FILTER_SANITIZE_STRING));
$sql = "INSERT INTO pet_tipo_exame(descricao_exame) values(:tipoExame)";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':tipoExame', $tipo_exame);
$stmt->execute();

Source: GitHub WeGIA Commit 619ead7. The patch introduces session validation, a permissao() permission check, input sanitization with filter_input, and a prepared statement using bound parameters.

Detection Methods for CVE-2025-27133

Indicators of Compromise

POST requests to /dao/pet/adicionar_tipo_exame.php containing SQL metacharacters such as single quotes, semicolons, UNION, SELECT, or comment sequences (--, /*) inside the tipo_exame parameter.
Unexpected rows in the pet_tipo_exame table containing SQL fragments rather than legitimate examination descriptions.
Database error log entries referencing syntax errors triggered by injected payloads from authenticated user sessions.

Detection Strategies

Inspect web server access logs for adicionar_tipo_exame.php requests originating from sessions that should not have administrative pet-management privileges.
Deploy a web application firewall (WAF) rule that flags SQL keywords and tautologies in the tipo_exame POST body.
Enable database query logging and alert on queries against pet_tipo_exame that include UNION operators or stacked statements.

Monitoring Recommendations

Monitor authenticated session activity for anomalous volumes of POST requests to WeGIA dao/ endpoints.
Track database account behavior for unusual SELECT queries originating from the PHP application user outside its normal pattern.
Correlate failed login attempts with subsequent endpoint access to identify credential stuffing followed by exploitation.

How to Mitigate CVE-2025-27133

Immediate Actions Required

Upgrade WeGIA to version 3.2.15 or later, which contains the official patch.
Restrict network access to the WeGIA application until the upgrade is complete, limiting reachability to trusted administrators.
Audit accounts with access to the pet management module and rotate credentials suspected of compromise.
Review the pet_tipo_exame table and related tables for unauthorized inserts or modifications.

Patch Information

Workarounds

If immediate upgrade is not possible, block public access to /dao/pet/adicionar_tipo_exame.php at the reverse proxy or WAF layer.
Apply a custom server-side filter that rejects tipo_exame values containing single quotes, semicolons, or SQL keywords.
Restrict the application database user to the minimum privileges required, removing DROP, ALTER, and cross-database SELECT rights.

bash

# Example WAF rule (ModSecurity) to block SQL metacharacters in tipo_exame
SecRule REQUEST_URI "@endsWith /dao/pet/adicionar_tipo_exame.php" \
    "phase:2,chain,deny,status:403,id:1027133,msg:'CVE-2025-27133 SQLi attempt'"
    SecRule ARGS:tipo_exame "@rx (?i)(\bunion\b|\bselect\b|--|;|/\*|')" "t:none"

CVE-2025-27133: Wegia Wegia SQL Injection Vulnerability

CVE-2025-27133 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-27133

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-27133

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-27133

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2025-27133: Wegia Wegia SQL Injection Vulnerability

CVE-2025-27133 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-27133

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-27133

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-27133

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform