CVE-2025-54058 Overview
CVE-2025-54058 is a SQL Injection vulnerability in WeGIA, an open source web manager focused on Portuguese-language charitable institutions. The flaw exists in versions prior to 3.4.6 and resides in the idatendido_familiares parameter of the /html/funcionario/dependente_editarEndereco.php endpoint. Attackers with low privileges can manipulate SQL queries to extract table names and sensitive database contents. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Version 3.4.6 resolves the issue.
Critical Impact
Authenticated attackers can exfiltrate sensitive database records, including personal data of beneficiaries and employees managed by WeGIA deployments.
Affected Products
- WeGIA versions prior to 3.4.6
- Endpoint: /html/funcionario/dependente_editarEndereco.php
- Vulnerable parameter: idatendido_familiares
Discovery Timeline
- 2025-07-17 - CVE-2025-54058 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-54058
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input in the idatendido_familiares HTTP parameter. The dependente_editarEndereco.php script passes this parameter into a SQL query without parameterized statements or input sanitization. Attackers can append SQL syntax to alter query logic and trigger UNION-based or boolean-based data extraction.
The endpoint requires an authenticated session, but only low privileges are needed to reach the vulnerable code path. Successful exploitation grants read access to database tables that hold names, addresses, dependent records, and employee information. The attack is performed over the network using standard HTTP requests.
Root Cause
The root cause is the direct concatenation of the idatendido_familiares parameter into a SQL statement inside dependente_editarEndereco.php. WeGIA does not validate the parameter as an integer, nor does it bind the value through prepared statements. This pattern is documented under CWE-89.
Attack Vector
An authenticated attacker sends a crafted POST or GET request to /html/funcionario/dependente_editarEndereco.php, supplying SQL metacharacters within the idatendido_familiares parameter. The injected payload modifies the original query, allowing the attacker to enumerate schema information and read arbitrary tables accessible to the WeGIA database user. Refer to the GitHub Security Advisory GHSA-5pwp-39jc-wxj8 for additional technical details.
Detection Methods for CVE-2025-54058
Indicators of Compromise
- Web server access logs showing requests to /html/funcionario/dependente_editarEndereco.php containing SQL keywords such as UNION, SELECT, SLEEP, --, or 0x within the idatendido_familiares parameter.
- Anomalous response time spikes on the affected endpoint, suggesting time-based blind SQL injection probing.
- Database error messages referencing idatendido_familiares surfaced in application logs.
Detection Strategies
- Deploy web application firewall rules that flag SQL metacharacters in the idatendido_familiares POST parameter.
- Inspect PHP application logs for query failures originating from dependente_editarEndereco.php.
- Correlate authenticated user sessions with bursts of requests against the vulnerable endpoint to identify abuse patterns.
Monitoring Recommendations
- Enable verbose query logging on the MySQL/MariaDB instance backing WeGIA and alert on unexpected UNION or INFORMATION_SCHEMA queries.
- Forward web and database logs to a centralized SIEM and build detections for repeated 500 responses on the affected URL.
- Track outbound data volume from the WeGIA application server to detect bulk database exfiltration.
How to Mitigate CVE-2025-54058
Immediate Actions Required
- Upgrade WeGIA to version 3.4.6 or later, which contains the official fix.
- Audit existing WeGIA accounts and revoke any sessions or credentials that may have accessed the vulnerable endpoint.
- Review database audit logs for suspicious SELECT activity against employee and dependent tables since deployment.
Patch Information
The maintainers fixed the vulnerability in WeGIA 3.4.6. Details are published in the GitHub Security Advisory GHSA-5pwp-39jc-wxj8. Administrators should deploy the patched release from the upstream repository and verify the version after upgrade.
Workarounds
- Restrict access to /html/funcionario/dependente_editarEndereco.php at the web server or WAF level until the patch is applied.
- Enforce strict integer validation on the idatendido_familiares parameter via a reverse proxy rule.
- Apply the principle of least privilege to the database account used by WeGIA, limiting SELECT access to only required tables.
# Example nginx rule to block non-numeric values in idatendido_familiares
if ($arg_idatendido_familiares !~ "^[0-9]+$") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

