CVE-2015-5595

MEDIUM

zenphoto < 1.4.9 - Cross-Site Request Forgery in admin.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-5595. PoCs published by Tim Coen.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in ZenPhoto 1.4.8, including SQL injection via ORDER BY manipulation, reflected XSS through URL parameters, path traversal in theme editing, and arbitrary function execution. It provides specific exploit paths and payloads but does not include functional exploit code.

Description

Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).

Exploits (1)

exploitdb WRITEUP
by Tim Coen · textwebappsphp
https://www.exploit-db.com/exploits/37602

This is a detailed technical writeup describing multiple vulnerabilities in ZenPhoto 1.4.8, including SQL injection via ORDER BY manipulation, reflected XSS through URL parameters, path traversal in theme editing, and arbitrary function execution. It provides specific exploit paths and payloads but does not include functional exploit code.

Classification
Writeup 95%
Attack Type
Sqli | Xss | Info Leak | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ZenPhoto 1.4.8
Auth required
Prerequisites: Admin access to ZenPhoto · Error reporting enabled for SQLi
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.5
EPSS 0.0145
EPSS Percentile 70.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-352
Status published
Products (1)
zenphoto/zenphoto < 1.4.9
Published Dec 31, 2019
Tracked Since Feb 18, 2026