CVE-2025-67684
Unknown Unknown - Not Provided
Local File Inclusion in Quick.Cart 6.7 Enables RCE

Publication date: 2026-01-22

Last updated on: 2026-02-19

Assigner: CERT.PL

Description
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-01-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-67684
EUVD
EUVD-2026-4165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensolution quick.cart 6.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Quick.Cart involves Local File Inclusion and Path Traversal issues in the theme selection mechanism. A privileged user can upload files with arbitrary content, bypassing proper validation by only checking the filename extension. This allows an attacker to include and execute malicious PHP code on the server, leading to Remote Code Execution.


How can this vulnerability impact me? :

The vulnerability can lead to Remote Code Execution on the server, which means an attacker could run arbitrary code with the privileges of the web server. This can result in full compromise of the server, data theft, data loss, or further attacks within the network.


What immediate steps should I take to mitigate this vulnerability?

Since the vulnerability allows Remote Code Execution via uploaded PHP files through the theme selection mechanism, immediate mitigation steps include restricting or disabling the ability for privileged users to upload files, especially PHP files; implementing strict validation and sanitization of uploaded filenames and contents beyond just extension checks; applying access controls to limit who can upload or change themes; and monitoring and auditing uploads for suspicious files. Additionally, consider isolating the affected system and applying any available patches or updates once provided by the vendor.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart