CVE-2025-6173 is a SQL Injection vulnerability identified in Webkul QloApps version 1.6.1, specifically within the /admin/ajax_products_list.php file. The vulnerability arises from improper sanitization of the 'packItself' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an attacker with administrative privileges to execute arbitrary SQL queries on the backend database remotely. The vulnerability does not require user interaction and has a low complexity of exploitation given the low attack complexity (AC:L) and no authentication bypass (PR:H indicates admin privileges are required). The vendor acknowledges the issue but considers it low-level due to the prerequisite of admin access, and a patch is planned for a future release. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the limited scope of impact due to the need for high privileges, but the potential for confidentiality, integrity, and availability impacts remains since SQL injection can lead to data leakage, modification, or deletion. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.6.1 of QloApps, a hotel booking and reservation management system developed by Webkul, which is used by hospitality businesses to manage bookings, inventory, and customer data.

For European organizations, particularly those in the hospitality sector using Webkul QloApps 1.6.1, this vulnerability poses a risk of unauthorized database manipulation by malicious insiders or attackers who have obtained admin credentials. Potential impacts include exposure of sensitive customer data, alteration or deletion of booking records, and disruption of reservation services, which could lead to financial losses, reputational damage, and regulatory non-compliance under GDPR. Since the vulnerability requires admin privileges, the primary risk vector is credential compromise or insider threat. Organizations with weak admin credential management or insufficient network segmentation are at higher risk. The ability to remotely exploit the vulnerability increases the attack surface, especially for organizations exposing the admin interface over the internet or insufficiently protected internal networks. Given the critical nature of hospitality data and the reliance on accurate booking systems, exploitation could disrupt operations and erode customer trust.

1. Immediately restrict access to the /admin/ajax_products_list.php endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to the admin panel. 2. Enforce strong, unique admin credentials and implement multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Monitor admin account activity for unusual behavior indicative of compromise or misuse. 4. Apply strict input validation and sanitization on all parameters, especially 'packItself', to prevent SQL injection, ideally by upgrading to a patched version once released. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. 6. Conduct regular security audits and penetration testing focused on admin interfaces and database interactions. 7. Segment the network to isolate the admin interface from public-facing systems, minimizing exposure. 8. Backup databases regularly and verify backup integrity to enable recovery in case of data corruption or deletion.