Description
SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents.
Published: 2026-03-21
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (Arbitrary File Read)
Action: Patch Now
AI Analysis

Impact

SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows an authenticated attacker to retrieve the contents of any file on the server by sending a crafted POST request to the backend theme endpoints using directory traversal sequences in the getcss or getjs parameters.

Affected Systems

The vulnerability affects Seotoaster’s SeoToaster Ecommerce product, version 3.0.0. The compromised components are the backend theme editing endpoints located at /backend/backend_theme/editcss/ and /backend/backend_theme/editjs/.

Risk and Exploitability

The CVSS base score of 6.8 indicates medium severity. Exploitation requires authenticated access to the backend system, limiting the attack surface. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is web‑based, involving POST requests to the vulnerable endpoints with traversal payloads.

Generated by OpenCVE AI on March 21, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official vendor patch for version 3.0.0 or upgrade to a newer version that resolves the issue.
  • If no patch is available, restrict access to the /backend/backend_theme/editcss/ and /backend/backend_theme/editjs/ endpoints to administrators only, or block them altogether for non‑admin users.
  • Apply input validation or a web application firewall rule to reject directory traversal sequences in the getcss and getjs parameters.
  • Monitor backend logs for suspicious POST requests targeting the vulnerable endpoints and investigate anomalies.
  • Ensure the application runs with the least privileges necessary.

Generated by OpenCVE AI on March 21, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:seotoaster:seotoaster:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents.
Title SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme
First Time appeared Seotoaster
Seotoaster seotoaster
Weaknesses CWE-22
CPEs cpe:2.3:a:seotoaster:seotoaster:3.0.0:*:*:*:*:*:*:*
Vendors & Products Seotoaster
Seotoaster seotoaster
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Seotoaster Seotoaster
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:24:31.805Z

Reserved: 2026-03-21T15:25:12.792Z

Link: CVE-2019-25577

cve-icon Vulnrichment

Updated: 2026-03-23T16:24:28.538Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T16:16:01.523

Modified: 2026-04-15T16:57:23.147

Link: CVE-2019-25577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:06Z

Weaknesses