CVE-2025-52474: Wegia Wegia SQL Injection Vulnerability

CVE-2025-52474 Overview

CVE-2025-52474 is a SQL Injection vulnerability identified in WeGIA, a web manager application designed for charitable institutions. The vulnerability exists in the id parameter of the /WeGIA/controle/control.php endpoint, allowing attackers to manipulate SQL queries and access sensitive database information including table names and confidential data.

Critical Impact

This SQL Injection vulnerability allows authenticated attackers to extract sensitive database information from charitable institution management systems, potentially exposing donor records, financial data, and personal information of beneficiaries.

Affected Products

• WeGIA versions prior to 3.4.2
• WeGIA web management platform for charitable institutions
• Systems using the vulnerable /WeGIA/controle/control.php endpoint

Discovery Timeline

• 2025-06-19 - CVE-2025-52474 published to NVD
• 2025-07-02 - Last updated in NVD database

Technical Details for CVE-2025-52474

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) stems from improper input validation in the WeGIA web management application. The vulnerable endpoint at /WeGIA/controle/control.php accepts an id parameter that is directly incorporated into SQL queries without proper sanitization or parameterization. This allows attackers with low-level privileges to inject malicious SQL statements and extract sensitive information from the underlying database.

The vulnerability is particularly concerning given the nature of the affected application—charitable institutions typically store sensitive data including donor information, beneficiary records, financial transactions, and organizational data. Successful exploitation could lead to unauthorized access to this confidential information without requiring high-level authentication.

Root Cause

The root cause of this vulnerability is the use of unsanitized user input in SQL queries. The vulnerable code utilized PHP's extract() function to directly process request parameters, which were then passed to database operations without proper input validation or parameterized queries. This anti-pattern allows attackers to inject arbitrary SQL code through the id parameter.

Attack Vector

The attack is network-based and can be executed by authenticated users with low privileges. An attacker can craft malicious requests to the /WeGIA/controle/control.php endpoint, injecting SQL payloads through the id parameter. The vulnerability does not require user interaction and can be exploited to enumerate database schemas and extract sensitive data.

The security patch demonstrates the fix by replacing the vulnerable extract($_REQUEST) pattern with proper input filtering using filter_input() with FILTER_SANITIZE_SPECIAL_CHARS:

<?php
-$PetDAO_path = "dao/pet/SaudePetDAO.php";
-if(file_exists($PetDAO_path)){
-    require_once($PetDAO_path);
-}else{
-    while(true){
-        $PetDAO_path = "../" . $PetDAO_path;
-        if(file_exists($PetDAO_path)) break;
-    }
-    require_once($PetDAO_path);
-}
+require_once dirname(__FILE__, 3) . DIRECTORY_SEPARATOR . 'dao' . DIRECTORY_SEPARATOR . 'pet' . DIRECTORY_SEPARATOR . 'SaudePetDAO.php';

-class MedicamentoControle{
-    public function adicionarMedicamento(){
-        var_dump($_REQUEST);
-        extract($_REQUEST);
-        $c = new SaudePetDAO();
-        
-        $c->adicionarMedicamento( $nomeMedicamento, $descricaoMedicamento, $aplicacaoMedicamento);
-        if($id){
-           header("Location: ../../html/pet/profile_pet.php?id_pet=".$id);
-        }else{
-            header("Location: ../html/pet/informacao_medicamento.php");
+class MedicamentoControle
+{
+    public function adicionarMedicamento()
+    {
+        $nomeMedicamento = filter_input(INPUT_POST, 'nomeMedicamento', FILTER_SANITIZE_SPECIAL_CHARS);
+        $descricaoMedicamento = filter_input(INPUT_POST, 'descricaoMedicamento', FILTER_SANITIZE_SPECIAL_CHARS);

Source: GitHub Commit Details

Detection Methods for CVE-2025-52474

Indicators of Compromise

• Unusual SQL error messages in web application logs referencing the control.php endpoint
• HTTP requests to /WeGIA/controle/control.php containing SQL syntax in the id parameter (e.g., UNION SELECT, OR 1=1, single quotes)
• Unexpected database query patterns or access to system tables such as information_schema
• Anomalous data access patterns or bulk data extraction from WeGIA database tables

Detection Strategies

• Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to WeGIA endpoints
• Implement database activity monitoring to detect unusual queries such as schema enumeration or data extraction
• Configure IDS/IPS signatures to alert on common SQL injection payloads targeting the id parameter
• Monitor web server access logs for suspicious requests to /WeGIA/controle/control.php with encoded or malformed parameters

Monitoring Recommendations

• Enable detailed logging for all database queries executed by the WeGIA application
• Set up alerts for HTTP requests containing SQL keywords or special characters in parameter values
• Monitor for authentication anomalies or privilege escalation attempts following potential SQL injection activity
• Review database audit logs regularly for unauthorized schema access or data extraction attempts

How to Mitigate CVE-2025-52474

Immediate Actions Required

• Upgrade WeGIA to version 3.4.2 or later immediately to apply the security patch
• Review access logs for any evidence of exploitation attempts targeting the control.php endpoint
• Implement network-level access controls to restrict access to the WeGIA administrative interface
• Consider taking the application offline if patching cannot be performed immediately and sensitive data is at risk

Patch Information

The vulnerability has been patched in WeGIA version 3.4.2. The fix implements proper input sanitization using PHP's filter_input() function with FILTER_SANITIZE_SPECIAL_CHARS instead of the dangerous extract($_REQUEST) pattern. Additionally, the patch changes the form submission method from GET to POST for sensitive operations, reducing the attack surface. Organizations should apply this patch by updating to version 3.4.2 or later. For detailed patch information, refer to the GitHub Commit Details and the GitHub Security Advisory.

Workarounds

• Deploy a Web Application Firewall (WAF) with SQL injection detection rules to filter malicious requests before they reach the application
• Implement input validation at the reverse proxy or load balancer level to reject requests containing SQL injection patterns
• Restrict network access to the WeGIA application to trusted IP addresses only until the patch can be applied
• Disable or restrict access to the vulnerable /WeGIA/controle/control.php endpoint if it is not essential for operations

# Example WAF rule for ModSecurity to block SQL injection attempts
SecRule ARGS:id "@detectSQLi" \
    "id:1001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'SQL Injection attempt detected in WeGIA id parameter',\
    tag:'CVE-2025-52474'"