CVE-2025-61605 in WeGIA
Summary
by MITRE • 10/03/2025
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an SQL Injection vulnerability which was identified in the /pet/profile_pet.php endpoint, specifically in the id_pet parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue is fixed in version 3.5.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/14/2025
The WeGIA web management platform serves charitable institutions and has been identified with a critical sql injection vulnerability affecting versions 3.4.12 and earlier. This vulnerability resides within the /pet/profile_pet.php endpoint where the id_pet parameter fails to properly sanitize user input, creating an exploitable vector for malicious actors to manipulate database queries. The flaw represents a significant security weakness that directly violates industry standards for secure coding practices and database interaction protocols. The vulnerability enables attackers to construct malicious sql commands that bypass normal authentication and authorization mechanisms, potentially leading to complete database compromise.
The technical exploitation of this sql injection flaw occurs when an attacker submits malicious input through the id_pet parameter, allowing them to inject arbitrary sql code that executes within the database context. This type of vulnerability falls under the common weakness enumeration category CWE-89, which specifically addresses sql injection vulnerabilities in software applications. The attack vector operates by manipulating the sql query structure through crafted input that alters the intended database operation, potentially enabling data extraction, modification, or deletion. The vulnerability's impact extends beyond simple data access as it can facilitate privilege escalation and lateral movement within the affected system.
Operational consequences of this vulnerability are severe and multifaceted, affecting all three pillars of information security. Confidentiality is compromised as attackers can extract sensitive data including donor information, institutional records, and personal identifiers of beneficiaries. Integrity suffers through potential data modification or corruption that could alter critical institutional records and financial data. Availability is threatened as malicious actors could execute destructive commands that render database services unavailable or corrupt the entire database structure. The vulnerability affects charitable institutions specifically, making them particularly susceptible to attacks that could undermine their operations and trust relationships with donors and beneficiaries.
The remediation for this vulnerability requires immediate deployment of version 3.5.0 which includes proper input sanitization and parameterized query implementation. Organizations should implement comprehensive input validation at multiple layers including application-level filtering, database-level query parameterization, and proper error handling that prevents information leakage. Security best practices dictate that all user inputs should be treated as untrusted and properly escaped or parameterized before database interaction. Additionally, implementing web application firewalls and intrusion detection systems can provide additional defense-in-depth measures. The fix aligns with attack technique tactics and techniques documented in the mitre att&ck framework under the execution and credential access domains, specifically addressing the use of sql injection as a method for gaining unauthorized access to database systems. Organizations should conduct thorough security assessments to ensure all instances of the vulnerable software are updated and verify that proper security controls are in place to prevent similar vulnerabilities from emerging in other components of their information systems.