CVE-2025-55167: Wegia SQL Injection Vulnerability

CVE-2025-55167 Overview

CVE-2025-55167 is a SQL Injection vulnerability discovered in WeGIA, an open source web manager focused on the Portuguese language and charitable institutions. The vulnerability exists in the /html/funcionario/dependente_remover.php endpoint, specifically within the id_dependente parameter. This flaw allows attackers to execute arbitrary SQL commands against the backend database, potentially compromising the confidentiality, integrity, and availability of sensitive data stored within the system.

Critical Impact

This SQL Injection vulnerability enables remote attackers with low privileges to execute arbitrary SQL commands via the network, potentially leading to complete database compromise, data exfiltration, and service disruption for charitable institutions using WeGIA.

Affected Products

• WeGIA versions prior to 3.4.8
• WeGIA web manager installations using the vulnerable dependente_remover.php endpoint
• Charitable institution management systems built on WeGIA

Discovery Timeline

• August 12, 2025 - CVE-2025-55167 published to NVD
• August 18, 2025 - Last updated in NVD database

Technical Details for CVE-2025-55167

Vulnerability Analysis

This vulnerability is classified as CWE-89 (SQL Injection), representing a critical flaw in how the WeGIA application handles user-supplied input. The vulnerable endpoint dependente_remover.php fails to properly sanitize or parameterize the id_dependente parameter before incorporating it into SQL queries, allowing attackers to manipulate database operations.

The attack can be executed remotely over the network with low attack complexity. While the attacker requires low-level privileges (authenticated access), no user interaction is needed to exploit this vulnerability. Successful exploitation can result in high impact to confidentiality, integrity, and availability of the database, with potential for scope change affecting connected systems.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and the absence of parameterized queries in the dependente_remover.php endpoint. The application directly incorporates user-controlled input from the id_dependente parameter into SQL statements without proper sanitization or the use of prepared statements with bound parameters. Additionally, the original code lacked proper session management controls that could have provided an additional layer of defense.

Attack Vector

The attack vector is network-based, targeting the /html/funcionario/dependente_remover.php endpoint. An authenticated attacker can craft malicious requests containing SQL injection payloads in the id_dependente parameter. These payloads can be designed to extract sensitive data from the database, modify or delete records, escalate privileges within the application, or potentially gain command execution on the underlying server depending on database configuration and permissions.

// Security patch showing improved session handling (from actual commit)
<?php
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}

-session_start();
-if (!isset($_SESSION["usuario"])){
+if (!isset($_SESSION["usuario"])) {
     header("Location: ../../index.php");
+    exit();
+} else {
+    session_regenerate_id();
}

// Verifica Permissão do Usuário

Source: GitHub Commit for WeGIA

Detection Methods for CVE-2025-55167

Indicators of Compromise

• Unusual or malformed HTTP requests targeting /html/funcionario/dependente_remover.php with SQL syntax in the id_dependente parameter
• Database error messages appearing in application logs indicating SQL syntax errors or injection attempts
• Unexpected database queries containing UNION, SELECT, DROP, or other SQL keywords in the id_dependente field
• Anomalous database activity patterns such as bulk data extraction or privilege escalation queries

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in HTTP requests to WeGIA endpoints
• Enable database query logging and monitor for suspicious queries containing injection patterns originating from the dependente_remover.php endpoint
• Deploy intrusion detection systems (IDS) with signatures for SQL injection attack patterns
• Configure application-level logging to capture all requests to the vulnerable endpoint with full parameter values

Monitoring Recommendations

• Monitor access logs for repeated requests to /html/funcionario/dependente_remover.php with varying id_dependente parameter values
• Set up alerts for database error rates that may indicate SQL injection probing attempts
• Track authentication patterns and flag suspicious session activity that may precede exploitation attempts
• Review database audit logs for unusual SELECT, INSERT, UPDATE, or DELETE operations on sensitive tables

How to Mitigate CVE-2025-55167

Immediate Actions Required

• Upgrade WeGIA to version 3.4.8 or later immediately to address this SQL Injection vulnerability
• If immediate upgrade is not possible, restrict network access to the vulnerable endpoint pending patching
• Review database logs for evidence of prior exploitation attempts
• Implement WAF rules to block SQL injection patterns targeting the affected endpoint as a temporary measure

Patch Information

WeGIA has addressed this vulnerability in version 3.4.8. The fix includes improved session handling with proper session status checks, session regeneration for authenticated users, and proper exit handling after redirects. Organizations should apply the patch by upgrading to the latest version. Technical details of the fix are available in the GitHub Commit for WeGIA and the GitHub Security Advisory GHSA-4fqm-ww3v-6mwv.

Workarounds

• Implement input validation at the web server level to reject requests with SQL injection patterns in the id_dependente parameter
• Deploy a Web Application Firewall (WAF) with SQL injection detection rules in front of the WeGIA application
• Restrict database user privileges for the WeGIA application to minimum required permissions, limiting potential damage from successful exploitation
• Consider temporarily disabling the vulnerable functionality if the dependent removal feature is not critical to operations

# Example WAF rule configuration for ModSecurity
SecRule ARGS:id_dependente "@detectSQLi" \
    "id:1001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'SQL Injection attempt blocked in id_dependente parameter',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'CVE-2025-55167'"