CVE-2025-67684
Published: 22 January 2026
Summary
CVE-2025-67684 is a high-severity Path Traversal (CWE-22) vulnerability in Opensolution Quick.Cart. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI+path traversal in web app theme upload enables direct web shell deployment and RCE on public-facing server.
NVD Description
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute…
more
uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Deeper analysisAI
CVE-2025-67684 affects Quick.Cart, an internet shop software, due to Local File Inclusion (LFI) and Path Traversal vulnerabilities in its theme selection mechanism. The application permits privileged users to upload arbitrary file contents while performing only superficial validation on the filename extension. This flaw enables attackers to upload PHP files that can then be included and executed, culminating in remote code execution (RCE) on the server. Only version 6.7 has been tested and confirmed vulnerable, though other versions may also be affected, as the vendor provided no details on the vulnerable range despite early notification.
Exploitation requires high privileges (PR:H), can be performed over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), and results in unchanged scope (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.2. A privileged attacker, such as an authenticated administrator, could leverage the theme upload feature to craft a malicious PHP file disguised with a valid extension, traverse paths to place it in an executable directory, and trigger its inclusion via theme selection, achieving full RCE.
Advisories note that the vendor was notified early but did not respond with vulnerability details, affected versions, or patches. Relevant references include a CERT.PL advisory at https://cert.pl/posts/2026/01/CVE-2025-67683 and the Quick.Cart product page at https://opensolution.org/sklep-internetowy-quick-cart.html, which provide further context but no specific mitigation guidance.
Details
- CWE(s)