CVE-2025-67684 – Quick.Cart e-commerce software contains a Local... (How to Fix)

Q: What is the severity of CVE-2025-67684?

CVE-2025-67684 has a CVSS score of 7.2 (HIGH). Quick.Cart e-commerce software contains a Local File Inclusion and Path Traversal vulnerability in its theme selection mechanism. This allows authenticated privileged users to upload and execute arbitrary PHP code, leading to remote code execution on the server. All Quick.Cart installations with vulnerable versions are affected.

📋 TL;DR

Quick.Cart e-commerce software contains a Local File Inclusion and Path Traversal vulnerability in its theme selection mechanism. This allows authenticated privileged users to upload and execute arbitrary PHP code, leading to remote code execution on the server. All Quick.Cart installations with vulnerable versions are affected.

💻 Affected Systems

Products:

Quick.Cart e-commerce software

Versions: Version 6.7 confirmed vulnerable, other versions likely affected (vendor did not provide version range)

Operating Systems: Any OS running PHP (Linux, Windows, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires privileged user access to exploit. All default installations with vulnerable versions are affected.

📦 What is this software?

Quick.cart by Opensolution

View all CVEs affecting Quick.cart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to execute arbitrary commands, steal sensitive data, install backdoors, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attacker gains shell access to the web server, can deface websites, steal customer data and payment information, and use the server for further attacks.

🟢

If Mitigated

If proper file upload validation and web application firewall rules are in place, exploitation attempts would be blocked or detected.

🌐 Internet-Facing: HIGH - Web applications are directly accessible from the internet, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with privileged access could exploit this, but requires authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY - Path traversal to RCE vulnerabilities are commonly weaponized in exploit kits.

Unauthenticated Exploit: ✅ No

Complexity: LOW - Once an attacker obtains privileged credentials, exploitation is straightforward.

Exploitation requires authenticated privileged access. The vulnerability combines LFI and file upload bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond to disclosure

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative e-commerce platforms or implementing strict workarounds.

🔧 Temporary Workarounds

Restrict File Upload Extensions

all

Implement server-side validation to only allow safe file extensions and block PHP file uploads entirely.

# In web server config (Apache example):
<LocationMatch "\.(php|phtml|php3|php4|php5|php7|phps)$">
    Deny from all
</LocationMatch>
# In .htaccess:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

Implement Web Application Firewall Rules

all

Configure WAF to block path traversal attempts and suspicious file upload patterns.

# ModSecurity rule example:
SecRule ARGS "\.\./" "id:1001,phase:2,deny,msg:'Path Traversal Attempt'"
# Block PHP file uploads:
SecRule FILES_TMPNAMES "@rx \.php$" "id:1002,phase:2,deny,msg:'PHP File Upload Blocked'"

🧯 If You Can't Patch

Immediately disable theme upload functionality in Quick.Cart admin panel
Implement strict network segmentation to isolate Quick.Cart server from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if Quick.Cart version is 6.7 or unknown version. Test theme upload functionality with malicious file names containing path traversal sequences.

Check Version:

# Check Quick.Cart version in admin panel or look for version files in installation directory

Verify Fix Applied:

Attempt to upload PHP files through theme mechanism - should be blocked. Test path traversal attempts in file inclusion parameters.

📡 Detection & Monitoring

Log Indicators:

Multiple failed theme upload attempts
Requests containing '../' sequences in theme parameters
PHP file uploads through theme endpoints
Unusual file write operations in web directories

Network Indicators:

POST requests to theme upload endpoints with PHP content
HTTP requests with path traversal sequences in parameters
Unexpected outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="*theme*" AND (param="*../*" OR file_extension="php"))

📊 Metadata

CVE ID: CVE-2025-67684

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.67% exploit probability (70.8th percentile)

Published: January 22, 2026

Last Updated: February 19, 2026

🔗 References

https://cert.pl/posts/2026/01/CVE-2025-67683 Third Party Advisory
https://opensolution.org/sklep-internetowy-quick-cart.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67684, you might also want to check these: