CVE-2023-53915

MEDIUM

Zenphoto 1.6 - Authenticated Stored Cross-Site Scripting via Album Description

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53915. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary The exploit demonstrates multiple stored XSS vulnerabilities in Zenphoto 1.6. It provides clear steps to trigger XSS via album descriptions and user profile fields (postal code), confirming the vulnerability with a PoC video link.

Description

Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users view the album page.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51485

The exploit demonstrates multiple stored XSS vulnerabilities in Zenphoto 1.6. It provides clear steps to trigger XSS via album descriptions and user profile fields (postal code), confirming the vulnerability with a PoC video link.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zenphoto 1.6
Auth required
Prerequisites: Access to create albums or modify user profiles · Admin or user-level authentication
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/51485

Scores

CVSS v3 4.6
EPSS 0.0026
EPSS Percentile 16.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
zenphoto/zenphoto 1.6
Zenphoto/Zenphoto 1.6
Published Dec 17, 2025
Tracked Since Feb 18, 2026