Listen to this Post
How the CVE Works
CVE-2025-1155 is a stored Cross-Site Scripting (XSS) vulnerability in Webkul QloApps 1.6.1, specifically in the `/stores` endpoint of the “Your Location Search” feature. Attackers can inject malicious JavaScript payloads via crafted input, which executes when an admin or user views the compromised store location data. The vulnerability arises due to insufficient input sanitization, allowing remote exploitation without authentication.
DailyCVE Form
Platform: Webkul QloApps
Version: 1.6.1
Vulnerability: Stored XSS
Severity: Medium
Date: 06/20/2025
Prediction: Patch by 08/2025
What Undercode Say
Check vulnerable endpoint curl -X GET "http://target/stores?location=<script>alert(1)</script>" Exploit PoC echo "Inject <img src=x onerror=alert(document.cookie)> into location search"
How Exploit
- Craft malicious XSS payload in store location input.
- Admin views infected store data, triggering payload.
- Steal sessions or escalate privileges.
Protection from this CVE
- Sanitize user input in `/stores` endpoint.
- Implement Content Security Policy (CSP).
- Upgrade to patched version post-release.
Impact
- Session hijacking.
- Unauthorized admin actions.
- Data leakage.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
