CVE-2023-53916

MEDIUM

Zenphoto 1.6 - Stored Cross-Site Scripting in User Postal Code Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53916. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary The exploit demonstrates multiple stored XSS vulnerabilities in Zenphoto 1.6. It provides clear steps to trigger XSS via album descriptions and user profile fields (postal code), confirming the vulnerability with a PoC video link.

Description

Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51485

The exploit demonstrates multiple stored XSS vulnerabilities in Zenphoto 1.6. It provides clear steps to trigger XSS via album descriptions and user profile fields (postal code), confirming the vulnerability with a PoC video link.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zenphoto 1.6
Auth required
Prerequisites: Access to create albums or modify user profiles · Admin or user-level authentication
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/51485

Scores

CVSS v3 4.6
EPSS 0.0027
EPSS Percentile 18.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
zenphoto/zenphoto 1.6
Zenphoto/Zenphoto 1.6
Published Dec 17, 2025
Tracked Since Feb 18, 2026