ShopCart Plus contains a flaw that allows a remote attacker to execute arbitrary commands. The flaw is due to no sanity checking on input supplied to the "file" variable. It is possible to supply a ";" and any valid unix command, which will be executed by the program.
Currently, there are no known workarounds or upgrades to correct this issue.
However, Kabotie Software Technologies has released a patch to address this vulnerability.