Volerion logoVolerion
Volerion logoVolerion

WeGIA Password Reset Vulnerability in Control.php Endpoint Allowing Unauthorized Access to User Accounts

Vulnerability

A vulnerability in WeGIA, a web manager for charitable institutions, allows users to change passwords without verifying the old one. This issue affects versions prior to 3.2.6 and is present in the control.php endpoint. The flaw enables unauthorized attackers to bypass authentication and authorization, resetting passwords for any user, including administrators.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized access to user accounts, including admin accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the control.php endpoint without including the old password. The request must include the new password, password confirmation, and the user ID of the account to be targeted. Once the request is processed, the password will be changed, and the new password can be used to log in to the account.

Remediation

Users can update to WeGIA version 3.2.6 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
5.0
exploitability
4.6
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.