CVE-2015-8352

CRITICAL

Zen Cart 1.5.4 - Remote File Inclusion via AJAX act Parameter Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-8352. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The advisory details a PHP file inclusion vulnerability in Zen Cart 1.5.4, where the 'act' parameter in '/ajax.php' is not sanitized, allowing remote unauthenticated attackers to include and execute arbitrary PHP files via directory traversal sequences. The vulnerability is critical (CVSSv3 9.0) and was patched by the vendor.

Description

Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/39017

View Code ZIP pw:eip

The advisory details a PHP file inclusion vulnerability in Zen Cart 1.5.4, where the 'act' parameter in '/ajax.php' is not sanitized, allowing remote unauthenticated attackers to include and execute arbitrary PHP files via directory traversal sequences. The vulnerability is critical (CVSSv3 9.0) and was patched by the vendor.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zen Cart 1.5.4

No auth needed

Prerequisites: Access to the target web server · Ability to upload or control a PHP file on the server

MITRE ATT&CK

T1189 - Drive-by Compromise T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Patch, Technical Description, Third Party Advisory x_refsource_misc

https://www.htbridge.com/advisory/HTB23282

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39017/

Exploit, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/537129/100/0/threaded

Patch, Release Notes, Vendor Advisory x_refsource_confirm

https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015

Scores

CVSS v3 9.8

EPSS 0.3849

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

zen-cart/zen_cart 1.5.4

Published Aug 24, 2017

Tracked Since Feb 18, 2026