CVE-2025-59939 is a high-severity SQL Injection vulnerability affecting versions of the WeGIA web management system prior to 3.5.0. WeGIA is a web-based platform designed to assist charitable institutions in managing their operations. The vulnerability exists in the control.php endpoint, specifically in the parameters nomeClasse=ProdutoControle, metodo=excluir, and id_produto. The id_produto parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This improper neutralization of special elements in SQL commands (CWE-89) can lead to unauthorized database queries, potentially exposing or modifying sensitive data. The vulnerability is exploitable remotely over the network without user interaction, requiring only low privileges (PR:L) on the system. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, as successful exploitation can lead to full compromise of the backend database. The issue has been addressed in WeGIA version 3.5.0 by implementing prepared statements, input validation, and sanitization on the id_produto parameter to prevent injection attacks. No known exploits have been reported in the wild yet, but the ease of exploitation and the critical impact make this a significant threat to organizations using vulnerable versions of WeGIA.

For European organizations, particularly charitable institutions using WeGIA versions prior to 3.5.0, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to sensitive donor information, financial records, and operational data, resulting in data breaches and loss of trust. The integrity of the database could be compromised, allowing attackers to alter or delete critical data, disrupting organizational operations. Availability could also be affected if attackers execute destructive SQL commands, potentially causing denial of service. Given the nature of charitable organizations, data confidentiality and integrity are paramount, and breaches could have legal and reputational consequences under GDPR and other data protection regulations in Europe. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within the organization's infrastructure.

European organizations using WeGIA should immediately upgrade to version 3.5.0 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the control.php endpoint and specifically the id_produto parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters that interact with the database. Employ prepared statements and parameterized queries in any custom integrations or extensions of WeGIA. Regularly audit and monitor database logs for suspicious queries or anomalies. Implement strict access controls to limit the privileges of accounts interacting with the database to minimize potential damage. Finally, conduct security awareness training for developers and administrators on secure coding practices to prevent similar vulnerabilities.