An issue in webkul qloapps before v1.6.0 allows an malicious user to obtain sensitive information via the id_order parameter.
webkul qloapps