CVE-2025-67684

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert.pl/posts/2026/01/CVE-2025-67683	Third Party Advisory
https://opensolution.org/sklep-internetowy-quick-cart.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*

History

19 Feb 2026, 18:33

Type	Values Removed	Values Added
References	~~() https://cert.pl/posts/2026/01/CVE-2025-67683 -~~	() https://cert.pl/posts/2026/01/CVE-2025-67683 - Third Party Advisory
References	~~() https://opensolution.org/sklep-internetowy-quick-cart.html -~~	() https://opensolution.org/sklep-internetowy-quick-cart.html - Product
CPE		cpe:2.3:a:opensolution:quick.cart:6.7:::::::*
First Time		Opensolution Opensolution quick.cart
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

26 Jan 2026, 15:04

Type	Values Removed	Values Added
Summary		(es) Quick.Cart es vulnerable a problemas de inclusión local de ficheros y salto de ruta en el mecanismo de selección de temas. Quick.Cart permite a un usuario privilegiado subir contenido de ficheros arbitrario mientras solo valida la extensión del nombre de fichero. Esto permite a un atacante incluir y ejecutar código PHP subido, lo que resulta en ejecución remota de código en el servidor. El proveedor fue notificado con antelación sobre esta vulnerabilidad, pero no respondió con los detalles de la vulnerabilidad o el rango de versiones vulnerables. Solo la versión 6.7 fue probada y confirmada como vulnerable, otras versiones no fueron probadas y también podrían ser vulnerables.

22 Jan 2026, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 12:15

Updated : 2026-02-19 18:33

NVD link : CVE-2025-67684

Mitre link : CVE-2025-67684

CVE.ORG link : CVE-2025-67684

JSON object : View

Products Affected

opensolution

quick.cart

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.2 /10