{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25577", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T15:25:12.792Z", "datePublished": "2026-03-21T15:30:36.380Z", "dateUpdated": "2026-03-23T16:24:31.805Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:22.560Z"}, "title": "SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme", "descriptions": [{"lang": "en", "value": "SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "affected": [{"vendor": "Seotoaster", "product": "SeoToaster Ecommerce", "versions": [{"version": "3.0.0", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:seotoaster:seotoaster:3.0.0:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46190", "name": "ExploitDB-46190", "tags": ["exploit"]}, {"url": "https://www.seotoaster.com/shopping-cart/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme"}], "credits": [{"lang": "en", "value": "Ihsan Sencan", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-01-18T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:24:21.879925Z", "id": "CVE-2019-25577", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:24:31.805Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25577", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:24:21.879925Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:24:28.538Z"}}], "cna": {"title": "SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme", "credits": [{"lang": "en", "type": "finder", "value": "Ihsan Sencan"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Seotoaster", "product": "SeoToaster Ecommerce", "versions": [{"status": "affected", "version": "3.0.0"}]}], "datePublic": "2019-01-18T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46190", "name": "ExploitDB-46190", "tags": ["exploit"]}, {"url": "https://www.seotoaster.com/shopping-cart/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme", "name": "VulnCheck Advisory: SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:seotoaster:seotoaster:3.0.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T00:15:22.560Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25577", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:24:31.805Z", "dateReserved": "2026-03-21T15:25:12.792Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-21T15:30:36.380Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seotoaster:seotoaster:*:*:*:*:*:*:*:*", "matchCriteriaId": "C87CB7F0-70F1-4E50-AF88-8B756B2381C0", "versionEndIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents."}, {"lang": "es", "value": "SeoToaster Ecommerce 3.0.0 contiene una vulnerabilidad de inclusi\u00f3n local de ficheros que permite a atacantes autenticados leer ficheros arbitrarios manipulando par\u00e1metros de ruta en los puntos finales de temas del backend. Los atacantes pueden enviar solicitudes POST a /backend/backend_theme/editcss/ o /backend/backend_theme/editjs/ con secuencias de salto de directorio en los par\u00e1metros getcss o getjs para recuperar el contenido de los ficheros."}], "id": "CVE-2019-25577", "lastModified": "2026-04-15T16:57:23.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-21T16:16:01.523", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46190"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.seotoaster.com/shopping-cart/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "seotoaster", "vendor": "seotoaster"}], "analysis": {"en": {"generated_at": "2026-03-21T16:51:37.085096+00:00", "value": {"mitigation_remediation": ["Deploy the official vendor patch for version\u202f3.0.0 or upgrade to a newer version that resolves the issue.", "If no patch is available, restrict access to the /backend/backend_theme/editcss/ and /backend/backend_theme/editjs/ endpoints to administrators only, or block them altogether for non\u2011admin users.", "Apply input validation or a web application firewall rule to reject directory traversal sequences in the getcss and getjs parameters.", "Monitor backend logs for suspicious POST requests targeting the vulnerable endpoints and investigate anomalies.", "Ensure the application runs with the least privileges necessary."], "summary": {"action": "Patch Now", "impact": "Local File Inclusion (Arbitrary File Read)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Seotoaster\u2019s SeoToaster Ecommerce product, version 3.0.0. The compromised components are the backend theme editing endpoints located at /backend/backend_theme/editcss/ and /backend/backend_theme/editjs/.", "description_and_impact": "SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows an authenticated attacker to retrieve the contents of any file on the server by sending a crafted POST request to the backend theme endpoints using directory traversal sequences in the getcss or getjs parameters.", "risk_and_exploitability": "The CVSS base score of 6.8 indicates medium severity. Exploitation requires authenticated access to the backend system, limiting the attack surface. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is web\u2011based, involving POST requests to the vulnerable endpoints with traversal payloads."}}}}, "created": "2026-03-23T09:49:03.605714+00:00", "updated": "2026-03-25T14:47:06.199955+00:00", "vendors": ["seotoaster", "seotoaster$PRODUCT$seotoaster"]}