In Zen Cart v1.2 through v1.3.7 an admin vulnerability exists which could let a rogue user login to your admin area unmonitored.
As always, it is WISE TO RENAME YOUR ADMIN FOLDER.
If you have already renamed and not told anyone the new name of your admin folder, you are much less likely to be affected.
The patch should be applied based on the version you're using. You can find the patches at SourceForge:
REMEMBER -- The BEST SECURITY for your Admin area is to RENAME it from /admin/ to something else.
See your /docs folder for instructions, or see the FAQ here:
Security Recommendations, including Renaming the Admin folder
The Zen Cart team is thankful to Tomaz Bratusa at Team Intell for reporting this vulnerability.
Vulnerability issues should be reported to team AT zen-cart DOT com.