Vulnerability Description
A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webkul | Qloapps | <= 1.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-FunctionExploitThird Party Advisory
- https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-FunctionExploitThird Party Advisory
- https://vuldb.com/?ctiid.325114Permissions RequiredVDB Entry
- https://vuldb.com/?id.325114Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.645821Third Party AdvisoryVDB Entry
FAQ
What is CVE-2025-10759?
CVE-2025-10759 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization...
How severe is CVE-2025-10759?
CVE-2025-10759 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10759?
Check the references section above for vendor advisories and patch information. Affected products include: Webkul Qloapps.