CVE-2023-53916

Description

Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-17 | Updated 2025-12-30 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51485 exploit

www.exploit-db.com/exploits/51485 (ExploitDB-51485) exploit

www.zenphoto.org/news/zenphoto-1.6/ (Official Product Webpage) product

www.vulncheck.com/...te-scripting-via-user-postal-code-field (VulnCheck Advisory: Zenphoto 1.6 Stored Cross-Site Scripting via User Postal Code Field) third-party-advisory

cve.org (CVE-2023-53916)

nvd.nist.gov (CVE-2023-53916)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.