CVE-2025-61665 is a high-severity vulnerability affecting WeGIA, an open-source web management platform primarily used by charitable institutions. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-200 (Information Exposure). Specifically, versions of WeGIA prior to 3.5.0 contain a broken access control flaw in the get_relatorios_socios.php endpoint. This flaw allows unauthenticated attackers to bypass authentication and authorization mechanisms, granting direct access to sensitive personal and financial data of members managed by the platform. The vulnerability is remotely exploitable over the network without any user interaction or privileges, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact on confidentiality is high, as attackers can retrieve sensitive information without any barriers. The vulnerability has a CVSS score of 8.7, reflecting its critical impact on data confidentiality and the ease of exploitation. Although no known exploits are currently reported in the wild, the presence of such a flaw in a platform used by charitable organizations poses a significant risk of data breaches and privacy violations. The issue was addressed in WeGIA version 3.5.0, which implements proper access control checks to prevent unauthorized data access. Organizations using affected versions should prioritize upgrading to the patched release to mitigate this risk.

For European organizations, particularly charitable institutions and NGOs utilizing WeGIA, this vulnerability could lead to severe data breaches involving personal and financial information of donors, members, and beneficiaries. Exposure of such sensitive data can result in loss of trust, reputational damage, regulatory penalties under GDPR, and potential financial fraud. The breach of confidentiality may also lead to identity theft and targeted phishing attacks against affected individuals. Since the vulnerability requires no authentication and can be exploited remotely, attackers could automate data extraction at scale, increasing the risk of widespread data compromise. The impact extends beyond individual organizations to the broader charitable sector, potentially undermining public confidence in nonprofit data handling practices across Europe.

1. Immediate upgrade to WeGIA version 3.5.0 or later, which contains the fix for this vulnerability. 2. If upgrading is not immediately feasible, implement network-level access controls such as IP whitelisting or VPN restrictions to limit access to the get_relatorios_socios.php endpoint. 3. Conduct thorough audits of server logs to detect any unauthorized access attempts to sensitive endpoints. 4. Employ web application firewalls (WAFs) configured to block unauthenticated requests targeting sensitive API endpoints. 5. Review and enhance internal access control policies to ensure that sensitive data endpoints require proper authentication and authorization. 6. Educate staff and stakeholders about the risks of data exposure and ensure timely application of security patches. 7. Perform regular security assessments and penetration testing focused on access control mechanisms to detect similar vulnerabilities proactively.