CVE-2025-67684

Remote Code Execution via Local File Inclusion in Quick.Cart

Assigner: CERT-PL
Reserved: 10.12.2025 Published: 22.01.2026 Updated: 22.01.2026

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	OpenSolution
Product	Quick.Cart
Versions	Default: unknown Version 6.7 is affected

Vendor

OpenSolution

Product

Quick.Cart

Versions

Default: unknown

Version 6.7 is affected

Credits

Arkadiusz Marta finder

References

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

Impacts

CAPEC-252 PHP Local File Inclusion
CAPEC-126 Path Traversal