CVE-2025-54060 is a critical SQL Injection vulnerability affecting the WeGIA web management platform developed by LabRedesCefetRJ. WeGIA is an open-source web manager primarily targeting Portuguese-speaking charitable institutions. The vulnerability exists in versions prior to 3.4.6 within the `idatendido_familiares` parameter of the `/html/funcionario/dependente_editarInfoPessoal.php` endpoint. This parameter is improperly sanitized, allowing attackers to inject malicious SQL code that manipulates backend database queries. Exploiting this flaw enables unauthorized access to sensitive database information, including table names and confidential data stored within the system. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating that special characters in SQL commands are not properly handled, leading to injection attacks. The CVSS 4.0 base score is 9.4 (critical), reflecting the vulnerability's high impact and ease of exploitation: it requires no user interaction, no privileges, and can be exploited remotely over the network. The vulnerability affects all WeGIA versions before 3.4.6, and the vendor has released version 3.4.6 to address the issue. No known exploits are currently reported in the wild, but the severity and nature of the vulnerability make it a prime target for attackers once exploit code becomes available. Given WeGIA's focus on Portuguese language and charitable organizations, the affected user base is likely concentrated in Portuguese-speaking regions, but the open-source nature means deployments could exist globally. The vulnerability compromises confidentiality, integrity, and availability by allowing attackers to extract sensitive data, modify database contents, or disrupt application functionality through crafted SQL commands.

For European organizations, especially those involved in charitable work or using WeGIA for web management, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of sensitive personal data, including donor information, beneficiary details, and internal organizational data. This can result in severe privacy violations, regulatory non-compliance (e.g., GDPR breaches), reputational damage, and potential financial penalties. Additionally, attackers could manipulate or delete critical data, disrupting operations and service delivery. The ease of exploitation without authentication increases the threat level, as attackers can remotely compromise systems without insider access. Given the critical CVSS score and the potential for widespread data exposure, European organizations using vulnerable WeGIA versions must treat this vulnerability as a top priority. The impact extends beyond data loss to include potential legal liabilities and erosion of trust among stakeholders.

1. Immediate upgrade to WeGIA version 3.4.6 or later, which contains the official patch fixing the SQL Injection vulnerability. 2. If immediate upgrade is not feasible, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the `idatendido_familiares` parameter and the affected endpoint. 3. Conduct a thorough audit of all WeGIA instances to identify vulnerable versions and confirm patch status. 4. Review and sanitize all user inputs in custom integrations or extensions to WeGIA to prevent similar injection flaws. 5. Implement database access controls with least privilege principles to limit the impact of potential SQL injection exploitation. 6. Monitor application logs for unusual query patterns or error messages indicative of attempted SQL injection attacks. 7. Educate development and IT teams on secure coding practices, emphasizing input validation and parameterized queries to prevent injection vulnerabilities. 8. Prepare an incident response plan specific to potential data breaches stemming from this vulnerability, including notification procedures compliant with GDPR.