Authenticated arbitrary file upload to RCE  
Product : Zenphoto   
Affected : Zenphoto CMS - <= 1.5.7  
Attack Type : Remote  
login then go to plugins then go to uploader and press on the check box elFinder  
then press apply , after that you go to upload then Files(elFinder) drag and drop  
any malicious php code after that go to /uploaded/ and you're php code  
Zenphoto through 1.5.7 is affected by authenticated arbitrary file  
upload, leading to remote code execution. The attacker must navigate to  
the uploader plugin, check the elFinder box, and then drag and drop  
files into the Files(elFinder) portion of the UI. This can, for  
example, place a .php file in the server's uploaded/ directory.  
Abdulaziz Almisfer