CVE-2021-3291

HIGH

Zen Cart 1.5.7b - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-3291. PoCs published by Mücahit Saratar, ImHades101.

AI-analyzed exploit summary This Metasploit module exploits an authenticated remote code execution vulnerability in ZenCart v1.5.7b by injecting malicious PHP code into module configuration settings, which is then executed via a crafted HTTP request.

Description

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Mücahit Saratar · rubywebappsphp

https://www.exploit-db.com/exploits/49608

View Code ZIP pw:eip

This Metasploit module exploits an authenticated remote code execution vulnerability in ZenCart v1.5.7b by injecting malicious PHP code into module configuration settings, which is then executed via a crafted HTTP request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZenCart v1.5.7b

Auth required

Prerequisites: Valid admin credentials · Access to the admin panel · Module configuration settings must be editable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB 1 stars

by ImHades101 · poc

https://github.com/ImHades101/CVE-2021-3291

View Code ZIP pw:eip

The repository contains only a minimal README with no exploit code or technical details. It appears to be a placeholder or incomplete project.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/MucahitSaratar/zencart_auth_rce_poc

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/161613/Zen-Cart-1.5.7b-Remote-Code-Execution.html

Scores

CVSS v3 7.2

EPSS 0.3261

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

zen-cart/zen_cart 1.5.7b

zencart/zencart 0 - 1.5.7cPackagist

Published Jan 26, 2021

Tracked Since Feb 18, 2026