CVE-2019-25577

SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.exploit-db.com/exploits/46190	Exploit VDB Entry
https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip	Product
https://www.seotoaster.com/shopping-cart/	Product
https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:seotoaster:seotoaster:*:*:*:*:*:*:*:*

History

15 Apr 2026, 16:57

Type	Values Removed	Values Added
References	~~() https://www.exploit-db.com/exploits/46190 -~~	() https://www.exploit-db.com/exploits/46190 - Exploit, VDB Entry
References	~~() https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip -~~	() https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip - Product
References	~~() https://www.seotoaster.com/shopping-cart/ -~~	() https://www.seotoaster.com/shopping-cart/ - Product
References	~~() https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme -~~	() https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme - Third Party Advisory
CPE		cpe:2.3:a:seotoaster:seotoaster::::::::
First Time		Seotoaster Seotoaster seotoaster
Summary		(es) SeoToaster Ecommerce 3.0.0 contiene una vulnerabilidad de inclusión local de ficheros que permite a atacantes autenticados leer ficheros arbitrarios manipulando parámetros de ruta en los puntos finales de temas del backend. Los atacantes pueden enviar solicitudes POST a /backend/backend_theme/editcss/ o /backend/backend_theme/editjs/ con secuencias de salto de directorio en los parámetros getcss o getjs para recuperar el contenido de los ficheros.

21 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-21 16:16

Updated : 2026-04-15 16:57

NVD link : CVE-2019-25577

Mitre link : CVE-2019-25577

CVE.ORG link : CVE-2019-25577

JSON object : View

Products Affected

seotoaster

seotoaster

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.5 /10