CVE-2019-25577

low-risk
Published 2026-03-21

SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

References (4)

https://www.exploit-db.com/exploits/46190
https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip
https://www.seotoaster.com/shopping-cart/
https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-v...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal