CVE-2025-6173
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webkul | qloapps | 1.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6173 is a critical SQL injection vulnerability in Webkul QloApps version 1.6.1. It exists in the 'packItself' parameter of the '/admin/ajax_products_list.php' file. An attacker with admin privileges can remotely exploit this flaw by injecting malicious SQL commands through this parameter, potentially leading to unauthorized data leakage, data manipulation, or other harmful database operations. The vulnerability arises due to improper handling of special characters in the SQL query, corresponding to CWE-89. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can compromise the confidentiality, integrity, and availability of the affected system's data. An attacker with admin access can perform unauthorized database operations such as extracting sensitive information, modifying data, or disrupting service. Since the exploit is remotely executable and proof-of-concept code is publicly available, it poses a significant risk if admin credentials are compromised or misused. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint /admin/ajax_products_list.php in Webkul QloApps version 1.6.1 and testing the 'packItself' parameter for SQL injection. One method to identify potentially vulnerable targets is using Google dorking with the query: inurl:admin/ajax_products_list.php. For active testing, you can use tools like curl or sqlmap to send crafted requests to the 'packItself' parameter and observe if SQL injection is possible. Example command using curl to test the parameter (replace URL and parameters accordingly): curl -X POST 'http://target/admin/ajax_products_list.php' -d 'packItself=1 OR 1=1' -H 'Cookie: admin_session=your_session_cookie'. Alternatively, sqlmap can be used to automate detection: sqlmap -u 'http://target/admin/ajax_products_list.php' --data='packItself=1' --risk=3 --level=5. Note that admin authentication is required to exploit or test this vulnerability. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /admin/ajax_products_list.php endpoint to trusted administrators only, ensuring strong authentication and session management to prevent unauthorized admin access. Since no official patch is currently available, consider disabling or restricting the vulnerable functionality if possible. Monitoring and logging admin activities and web requests to detect suspicious behavior related to the 'packItself' parameter is recommended. Additionally, consider using web application firewalls (WAF) to block SQL injection attempts targeting this parameter. If feasible, consider using alternative products until a patch is released by the vendor. [2]