WeGIA is vulnerable to a critical variable overwrite flaw that enables unauthenticated attackers to bypass security controls and gain full administrative access to the application.

Multiple PHP scripts utilize the extract() function on the $_REQUEST superglobal without proper sanitization. This allows an unauthenticated attacker to overwrite critical variables, effectively neutralizing authentication and authorization logic.

A successful exploit allows an attacker to gain unauthorized access to administrative and protected areas, leading to a complete compromise of sensitive data held by the charitable institution. The CVSS score of 9.8 reflects the severity of this authentication bypass, which can result in total loss of confidentiality, integrity, and availability.

Immediate Action: Apply the update to WeGIA version 3.6.5 immediately, as this release removes the unsafe use of the extract() function.

Proactive Monitoring: Monitor web server logs for requests containing suspicious parameter names that match internal variable names, which may indicate an attempt to overwrite application logic.

Compensating Controls: Disable the use of extract() in the PHP configuration if possible, or use a WAF to filter out suspicious global variable names in incoming HTTP requests.

Public Exploit Available: false

The ability for an unauthenticated attacker to gain administrative privileges via a simple variable overwrite is a critical risk. Immediate deployment of version 3.6.5 is the only reliable way to mitigate this flaw and protect the application from total takeover.