CVE-2011-4403

Zen Cart 1.3.9h - Cross-Site Request Forgery via Product Management Actions

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-4403. PoCs published by DisK0nn3cT.

AI-analyzed exploit summary This is a functional CSRF exploit for Zen Cart 1.3.9h, demonstrating how an attacker can trick an admin into deleting a product via a crafted HTML form. The exploit bypasses the security token check by submitting an arbitrary value.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DisK0nn3cT · htmlwebappsphp

https://www.exploit-db.com/exploits/36688

View Code ZIP pw:eip

This is a functional CSRF exploit for Zen Cart 1.3.9h, demonstrating how an attacker can trick an admin into deleting a product via a crafted HTML form. The exploit bypasses the security token check by submitting an arbitrary value.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Zen Cart 1.3.9h

Auth required

Prerequisites: Admin session active in the target browser

MITRE ATT&CK

T1556.002 - Password Filter DLL

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2012/Feb/171

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/79137

Scores

EPSS 0.0171

EPSS Percentile 74.3%

Details

CWE

CWE-352

Status published

Products (1)

zen-cart/zen_cart 1.3.9h

Published Apr 24, 2015

Tracked Since Feb 18, 2026