CVE-2025-67684
Unknown Unknown - Not Provided

Local File Inclusion in Quick.Cart 6.7 Enables RCE

Vulnerability report for CVE-2025-67684, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-22

Last updated on: 2026-02-19

Assigner: CERT.PL

Description

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-22
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2026-01-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opensolution quick.cart 6.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Quick.Cart involves Local File Inclusion and Path Traversal issues in the theme selection mechanism. A privileged user can upload files with arbitrary content, bypassing proper validation by only checking the filename extension. This allows an attacker to include and execute malicious PHP code on the server, leading to Remote Code Execution.

Impact Analysis

The vulnerability can lead to Remote Code Execution on the server, which means an attacker could run arbitrary code with the privileges of the web server. This can result in full compromise of the server, data theft, data loss, or further attacks within the network.

Mitigation Strategies

Since the vulnerability allows Remote Code Execution via uploaded PHP files through the theme selection mechanism, immediate mitigation steps include restricting or disabling the ability for privileged users to upload files, especially PHP files; implementing strict validation and sanitization of uploaded filenames and contents beyond just extension checks; applying access controls to limit who can upload or change themes; and monitoring and auditing uploads for suspicious files. Additionally, consider isolating the affected system and applying any available patches or updates once provided by the vendor.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart