Just announced this morning, the Zen Cart core team released a security patch for all versions back to 1.3.8. It addresses a possible sql injection in the product notifications code.
This file needs uploading to every Zen Cart version – EVERY ONE!
Contact me if you need assistance. I’m presently uploading this to everyone on my server and all my maintenance clients.
The Zen Cart forum post is here with a link to the file:
https://www.zen-cart.com/showthread.php?225676-Security-Patch-for-all-versions-prior-to-v156c
Author: Delia Wilson Lunsford, Founder & CEO, WizTech, Inc.