CVE-2025-67684
Remote Code Execution via Local File Inclusion in Quick.CartQuick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
We have discovered 345 live websites that are affected by CVE-2025-67684.
Affected Software
| Product |  Quick.Cart |
| Category | Ecommerce |
| Vulnerable Domains | 345 live websites (55% of Quick.Cart install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 11% of all versions) |
Common Weakness Enumeration
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Details
- Published - Jan 22, 2026
- Updated - Jan 22, 2026
Credits
- Arkadiusz Marta (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-67684 United States | 6 websites |
 Poland | 237 websites |
 Czech Republic | 27 websites |
 France | 16 websites |
 Hungary | 12 websites |
 Germany | 11 websites |
 Netherlands | 9 websites |
 Slovakia | 7 websites |
 Romania | 5 websites |
 Denmark | 4 websites |
Website Distribution by TLD
Number of websites using CVE-2025-67684| .pl | 164 websites |
| .com | 43 websites |
| .cz | 22 websites |
| .eu | 15 websites |
| .nl | 9 websites |
| .de | 8 websites |
| .net | 6 websites |
| .dk | 3 websites |
| .info | 3 websites |
| .co.uk | 2 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-67684
Top websites that are affected by CVE-2025-67684. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****************.de | Germany | ***,*** | |
| *******.***.pl | Poland | ***,*** | |
| ****.************.org | Poland | ***,*** | |
| ************.com | Poland | ***,*** | |
| ************.de | Germany | ***,*** | |
| ***********.hu | Hungary | *,***,*** | |
| *************.pl | Poland | *,***,*** | |
| *******.***.pl | Poland | *,***,*** | |
| *******.****.pl | Poland | *,***,*** | |
| ***********.pl | Poland | *,***,*** |
FAQ
CVE-2025-67684 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Quick.Cart
A total of 345 websites have been identified as vulnerable to CVE-2025-67684, based on global website indexing conducted by WebTechSurvey.
The Quick.Cart is affected by the CVE-2025-67684 vulnerability.
Quick.Cart versions up to and including 6.7 are vulnerable to CVE-2025-67684.