WeGIA’s remover_produto_ocultar.php uses PHP’s extract() to copy all request variables into local scope and then concatenates those variables directly into a SQL query executed via PDO::query. This flaw allows an authenticated or authentication‑bypassed attacker to inject arbitrary SQL commands. The result is a full SQL injection vulnerability that can be used to exfiltrate sensitive data from the database or, as demonstrated in the PoC, to cause a time‑based delay that can be leveraged for denial‑of‑service. The vulnerability is classified as CWE‑89 and carries a CVSS score of 9.8.

The affected product is LabRedesCefetRJ’s WeGIA application. All installations of version 3.6.5 and earlier are vulnerable; the issue is fixed in version 3.6.6 and beyond. The affected component is identified by the CPE string cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*.

The CVSS score indicates a very high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires the attacker to supply request parameters, it is likely exploitable via authenticated or auth‑bypassed access, though the time‑based denial‑of‑service technique could potentially be triggered remotely depending on the server configuration. Overall, the risk remains high due to the severity and the ease with which an attacker who can supply input can exploit the issue.