CVE-2025-22598
📋 TL;DR
A stored XSS vulnerability in WeGIA's cadastrarSocio.php endpoint allows attackers to inject malicious scripts into the local_recepcao parameter. These scripts execute automatically when users access the affected page, potentially compromising user sessions and stealing sensitive data. All WeGIA installations below version 3.2.8 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, take full control of the WeGIA instance, access sensitive charitable donor data, and pivot to internal networks.
Likely Case
Session hijacking, credential theft from users accessing the vulnerable page, defacement of the application interface.
If Mitigated
Limited to interface manipulation if proper input validation and output encoding are implemented at other layers.
🎯 Exploit Status
Exploitation requires the ability to submit data to the vulnerable parameter, which may require some level of access to the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9x2j-pw3h-p53f
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.8 from the official repository. 3. Replace the vulnerable files with the patched version. 4. Verify that the cadastrarSocio.php endpoint now properly sanitizes the local_recepcao parameter.
🔧 Temporary Workarounds
Input Validation Web Application Firewall (WAF) Rule
allBlock or sanitize requests containing script tags or JavaScript in the local_recepcao parameter.
Disable Vulnerable Endpoint
allTemporarily disable or restrict access to cadastrarSocio.php if not critically needed.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Deploy a web application firewall (WAF) with XSS protection rules specifically for the local_recepcao parameter.
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> to the local_recepcao parameter in cadastrarSocio.php and check if it executes when the page is reloaded.Check Version:
Check the WeGIA version in the application's admin panel or configuration files.Verify Fix Applied:
After patching, attempt the same XSS payload; it should be properly sanitized or blocked without execution.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to cadastrarSocio.php with script-like content in parameters
- Multiple failed login attempts following suspicious parameter submissions
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in the local_recepcao parameter
SIEM Query:
source="web_logs" AND uri_path="/cadastrarSocio.php" AND (param="local_recepcao" AND value MATCHES "(?i)<script|javascript:")