CVE-2025-6173 | Webkul QloApps 1.6.1 ajax_products_list.php packItself sql injection

A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection.

This vulnerability is known as CVE-2025-6173. The attack can be launched remotely. Furthermore, there is an exploit available.

The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.

CVE-2025-6173 | Webkul QloApps 1.6.1 ajax_products_list.php packItself sql injection

Post correlati

CVE-2024-0730 | Project Worlds Online Time Table Generator 1.0 course_ajax.php id sql injection

CVE-2024-5566 | GitHub Enterprise Server up to 3.9.16/3.10.13/3.11.11/3.12.5/3.13.0 Personal Access Token privileges management

CVE-2025-0290 | GitLab Community Edition/Enterprise Edition up to 17.6.3/17.7.1/17.8.0 Background Job infinite loop

CVE-2024-8531 | Schneider Electric Data Center Expert Versions 8.1.1.3 and prior signature verification (SEVD-2024-282-01)