CVE-2025-6173

Name of the Vulnerable Software and Affected Versions Webkul QloApps version 1.6.1

Description A critical vulnerability was found in Webkul QloApps, affecting an unknown functionality of the file /admin/ajax products list.php. The manipulation of the packItself argument leads to SQL injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. A fix is planned for a future release.

Recommendations For Webkul QloApps version 1.6.1, as a temporary workaround, consider restricting access to the /admin/ajax products list.php file until a patch is available. Additionally, avoid manipulating the packItself argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.