CVE-2025-22133: WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)

10.0 CVSS

Description

WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8.

Classification

CVE ID: CVE-2025-22133

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

Affected Products

Vendor: nilsonLazarin

Product: WeGIA

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.49% (scored less or equal to compared to others)

EPSS Date: 2025-02-05 (when was this score calculated)

References

https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf
https://github.com/nilsonLazarin/WeGIA/commit/a08f04de96d3caec85496d7a89a5b82d1960d9dd

Timeline

2025-01-08 00:30:43 UTC
CVE

WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)