CVE-2025-59939 is a high-severity SQL Injection vulnerability affecting versions of the WeGIA web management system prior to 3.5.0. WeGIA is a web-based platform designed to manage charitable institutions, developed by LabRedesCefetRJ. The vulnerability exists in the control.php endpoint, specifically in the parameters nomeClasse=ProdutoControle&metodo=excluir&id_produto. The id_produto parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This improper neutralization of special elements in SQL commands (CWE-89) enables an attacker with at least low privileges (PR:L) to execute arbitrary SQL queries remotely without user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high impact on confidentiality, integrity, and availability. Exploitation could lead to unauthorized data disclosure, data modification, or deletion of critical data within the charitable institutions' databases. The vulnerability has been patched in WeGIA version 3.5.0 by implementing prepared statements, input sanitization, and validation on the id_produto parameter. No known exploits are currently reported in the wild, but the ease of exploitation and the critical nature of the flaw make it a significant risk if unpatched.

For European organizations, especially charitable institutions using WeGIA versions prior to 3.5.0, this vulnerability poses a serious risk. Successful exploitation could lead to unauthorized access to sensitive donor information, financial records, and operational data, potentially resulting in data breaches, reputational damage, and regulatory non-compliance under GDPR. The integrity of the data could be compromised, affecting the trustworthiness of the institution's records. Availability could also be impacted if attackers delete or corrupt data, disrupting organizational operations. Given the nature of charitable organizations, such an incident could also undermine public trust and funding. Furthermore, the vulnerability could be leveraged as a foothold for further network intrusion or lateral movement within the organization's infrastructure.

European organizations using WeGIA should immediately upgrade to version 3.5.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement web application firewalls (WAFs) with specific rules to detect and block SQL injection attempts targeting the control.php endpoint and the id_produto parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters that interact with the database. Employ prepared statements and parameterized queries in any custom code interfacing with WeGIA or its database. Regularly audit and monitor database logs for suspicious queries or anomalies. Additionally, restrict access to the control.php endpoint to authorized personnel only, using network segmentation and access controls. Finally, ensure that backups of critical data are maintained and tested for integrity to enable recovery in case of data loss or corruption.