CVE-2025-58159 is a critical remote code execution vulnerability affecting versions of the WeGIA web management application prior to 3.4.11. WeGIA is used by charitable institutions to manage their web presence and operations. The vulnerability arises from improper validation and sanitization of uploaded files, specifically allowing attackers to upload files with arbitrary filenames and dangerous extensions such as .php. The application fails to enforce restrictions on file types or sanitize filenames, enabling an attacker to upload a file that contains both a spreadsheet payload and embedded PHP code. Because the uploaded file is saved directly to disk and can be executed by the server, this leads to arbitrary code execution on the server hosting the application. This vulnerability is a direct consequence of insufficient mitigation of a previous vulnerability (CVE-2025-22133). The weakness is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-94 (Improper Control of Generation of Code). The CVSS v3.1 base score is 10.0, indicating a critical severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability with a scope change. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a prime target for exploitation. The issue was addressed and patched in WeGIA version 3.4.11, which implements proper validation and sanitization of uploaded files to prevent execution of malicious code embedded in uploads.

For European organizations using WeGIA, especially charitable institutions and NGOs, this vulnerability poses a severe risk. Successful exploitation can lead to full compromise of the web server hosting the application, allowing attackers to execute arbitrary code, potentially leading to data theft, defacement, disruption of services, or use of the compromised server as a pivot point for further attacks within the network. The impact on confidentiality is high as sensitive donor and organizational data could be exposed. Integrity is compromised as attackers can modify data or application behavior. Availability is also at risk due to potential server crashes or ransomware deployment. Given the criticality and ease of exploitation over the network, organizations could face regulatory consequences under GDPR if personal data is compromised. Additionally, reputational damage could be significant for charitable organizations relying on public trust. The lack of user interaction and low attack complexity means attackers can automate exploitation attempts, increasing the risk of widespread attacks if patches are not applied promptly.

European organizations should immediately verify the version of WeGIA in use and upgrade to version 3.4.11 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement strict file upload controls at the web server or application firewall level to block uploads of files with executable extensions such as .php, .phtml, .php5, etc. Employ content-type validation and file signature verification to ensure only legitimate spreadsheet files are accepted. Configure the web server to disallow execution of uploaded files in the upload directories by disabling script execution (e.g., using appropriate .htaccess or server configuration directives). Implement application-level input validation and sanitization for filenames to prevent injection of malicious code. Regularly audit and monitor upload directories for suspicious files. Employ intrusion detection systems to detect anomalous file upload activity. Conduct security awareness training for administrators to recognize and respond to suspicious activities. Finally, maintain an up-to-date inventory of all web applications and their versions to ensure timely patch management.