CVE-2025-57761
📋 TL;DR
This SQL injection vulnerability in WeGIA's employee dependent removal endpoint allows attackers to execute arbitrary SQL commands by manipulating the id_funcionario parameter. Attackers can potentially access, modify, or delete sensitive database information including donor data, financial records, and personal information. All WeGIA installations prior to version 3.4.10 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution through database functions.
Likely Case
Unauthorized access to sensitive charitable institution data including donor information, financial records, and personal employee/dependent details.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
SQL injection in id_funcionario parameter requires authentication to access the endpoint but exploitation itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.10
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fxwc-r5m4-hj62
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.4.10 from the official repository. 3. Replace the vulnerable file /html/funcionario/dependente_remover.php with the patched version. 4. Verify the fix by testing the endpoint with SQL injection payloads.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests to the vulnerable endpoint.
Endpoint Restriction
linuxRestrict access to /html/funcionario/dependente_remover.php endpoint using web server configuration or network controls.
# Apache: <Location /html/funcionario/dependente_remover.php> Require valid-user </Location>
# Nginx: location ~ /html/funcionario/dependente_remover\.php$ { deny all; }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in the vulnerable PHP file
- Apply database-level controls: restrict application database user permissions to minimum required operations
🔍 How to Verify
Check if Vulnerable:
Test the /html/funcionario/dependente_remover.php endpoint with SQL injection payloads in the id_funcionario parameter (e.g., id_funcionario=1' OR '1'='1).Check Version:
Check WeGIA version in admin interface or review version files in installation directory.Verify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple failed requests to /html/funcionario/dependente_remover.php with SQL syntax in parameters
- Database query logs showing unexpected UNION or SELECT statements
Network Indicators:
- HTTP POST/GET requests to /html/funcionario/dependente_remover.php containing SQL keywords (UNION, SELECT, INSERT, DELETE) in parameters
SIEM Query:
source="web_server" AND (url="/html/funcionario/dependente_remover.php" AND (param="id_funcionario" AND value MATCHES "(?i)(union|select|insert|delete|or|and|'|--|#)"))