CVE-2025-61605 is a critical SQL Injection vulnerability affecting WeGIA, an open-source web management platform tailored for charitable institutions. The vulnerability exists in versions 3.4.12 and earlier, specifically within the /pet/profile_pet.php endpoint, targeting the id_pet parameter. Improper neutralization of special elements in this parameter allows attackers to inject arbitrary SQL commands. This can lead to unauthorized data disclosure, data manipulation, or even complete compromise of the underlying database. The vulnerability impacts confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially enabling denial-of-service conditions through crafted queries. The CVSS 4.0 score of 9.4 reflects the high severity, with an attack vector that is network-based, requiring low attack complexity, no user interaction, and only low privileges. The vulnerability affects a critical component of the application that manages pet profiles, which may contain sensitive personal or organizational data. The issue has been addressed in WeGIA version 3.5.0, which includes proper input validation and parameterized queries to prevent injection attacks. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact make this a high-risk vulnerability that requires immediate attention.

For European organizations using WeGIA, particularly charitable institutions, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to donor information, internal records, and other sensitive data, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, undermining trust and operational reliability. Availability impacts could disrupt organizational activities, affecting service delivery and stakeholder engagement. The breach of sensitive data could result in reputational damage, regulatory fines, and legal consequences. Given the critical nature of the vulnerability and the potential for remote exploitation without user interaction, European entities must prioritize patching to avoid these severe consequences.

Organizations should immediately upgrade WeGIA installations to version 3.5.0 or later, where the vulnerability is fixed. Until the upgrade is applied, implement strict input validation and sanitization on the id_pet parameter at the web application firewall (WAF) or reverse proxy level to block suspicious SQL syntax patterns. Employ parameterized queries and prepared statements if custom modifications exist. Conduct thorough code reviews and penetration testing focused on SQL injection vectors. Monitor database logs for unusual query patterns indicative of exploitation attempts. Restrict database user privileges to the minimum necessary to limit the impact of any successful injection. Additionally, ensure regular backups are maintained and tested for integrity to enable recovery in case of data corruption or loss.