PHP remote file inclusion vulnerability in popup_window.php in Squirrelcart 1.x.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the site_isp_root parameter, probably related to cart.php.
https://www.exploit-db.com/exploits/4295
https://exchange.xforce.ibmcloud.com/vulnerabilities/36112