CubeCart before 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.
cubecart cubecart