CVE-2025-30361
CRITICALWeGIA < 3.2.6 - Unauthenticated Password Change via control.php Endpoint
Title source: llmDescription
WeGIA is a Web manager for charitable institutions. A security vulnerability was identified in versions prior to 3.2.6, where it is possible to change a user's password without verifying the old password. This issue exists in the control.php endpoint and allows unauthorized attackers to bypass authentication and authorization mechanisms to reset the password of any user, including admin accounts. Version 3.2.6 fixes the issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m6qw-r3m9-jf7h
Scores
CVSS v3
9.8
EPSS
0.0006
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (1)
wegia/wegia
< 3.2.6
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026