Download available here:

PCI Compliance
v1.5.0 is PA-DSS certified.
v1.5.1 was an optional update, not submitted for formal re-certification.
v1.5.2 was released as a beta only, and not submitted for formal re-certification.
v1.5.3 began re-certification but encountered delays, and is being released before certification is finalized. It includes stronger password handling with blowfish encryption, and many other improvements for security and performance and compatibility.

A final PCI-Certified version will be released (with a new version number) in hopefully only a couple months. This release is going out now so the community can benefit from the many improvements, including PHP 5.4 and PHP 5.5 compatibility, to keep up with current server upgrades happening with many hosting companies.

Minimum Requirements
Zen CartŪ v1.5.3 requires a minimum of the following:

  • PHP 5.3.7 up to PHP 5.6 (may run on as low as PHP 5.2.10, but with lesser security protections available)
  • MySQL 5.0 or higher
  • Apache 2.0 or higher.
  • Apache configured with AllowOverride set to either 'All' or at least both 'Limit' and 'Indexes' parameters, and preferably the 'Options' parameter as well.
  • PHP configured to support CURL with OpenSSL

While Zen CartŪ can run on Windows/IIS servers, Linux/Apache servers are recommended for best results, superior performance, and easier use by shopowners.

What's New In v1.5.3:
Improvements include:

  • CHANGE-511 - Change DB functions from mysql to mysqli
  • CHANGE-89 - Convert to bcrypt for password security hashing (requires PHP 5.3.7 or newer)
  • CHANGE-491 - Timezone patch for PHP 5.3/5.4/5.5 (this makes the "timezone offset" plugin obsolete)
  • CHANGE-566 - Add Admin switch to relax PA-DSS "strong" password requirements when in Demo mode
  • CHANGE-543 - Updates for PHP 5.5 Compatibility; Verified PHP 5.6-beta compatibility
  • CHANGE-432 - Numerous fixes for stricter PHP 5.4 compatibility
  • CHANGE-350 - Improvements to queryFactory to better support sql caching
  • CHANGE-359 - Add advanced developer tool for Notifier Trace and a global eventID
  • CHANGE-412 - Increase length of session key field due to changes in PHP defaults
  • CHANGE-421 - Update modules to support CAD and UK currencies
  • CHANGE-427 - Fix Memory Leak with PHP 5.3/5.4
  • CHANGE-434 - Add additional SSL detection checks to accommodate more poorly configured hosting companies
  • CHANGE-450 - Switch to SSL for contact-us form (when SSL is enabled)
  • CHANGE-452 - Add multiple-language and multiple-location support to the Store Pickup shipping module
  • CHANGE-454 - Made low-stock emails interceptable by notifier/observer
  • CHANGE-524 - Fix SaleMaker issues on Discount Quantity
  • ISSUE-54 - Session handling improvements
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant

Bugfixes and feature updates include:

  • CHANGE-196 - Fix issue with Store-pickup module vs taxes
  • CHANGE-206 - Fix admin profiles code to also manage product types
  • CHANGE-225 - Handle use of comma as decimal point for Gift Voucher
  • CHANGE-235 - Fix for create_account_success doesn't honor session timeout
  • CHANGE-274 - Installer improvement - alert if new version available at install time
  • CHANGE-309 - Changes to avoid spam flags on Admin Emails about payment/shipping modules, and prevent autoresponder replies to newsletters and contact-us emails
  • CHANGE-311 - Data sanity check in customer login and admin customer mgmt to handle missing records resulting from bad imports or damaged data
  • CHANGE-315 - Performance tuning with .htaccess tweaks
  • CHANGE-323 - Fix rounding error with attributes and salemaker
  • CHANGE-332 - Update PayPal WPS to prevent mistakenly entering localized country domain for accessing PayPal services (per PayPal change Q3-2012)
  • CHANGE-341 - Updates to observer/notifier code to better support legacy procedural code
  • CHANGE-343 - Fix various language wording and dist-configure examples vis a vis the logs foldername
  • CHANGE-345 - Fix typo in whos_online legend
  • CHANGE-346 - Fix outdated language in configuration menu help texts, mainly around the name of the logs folder
  • CHANGE-347 - Fix TRY currency in paypal modules
  • CHANGE-348 - Fix Secunia advisory SA50574 - XSS in admin login.php
  • CHANGE-351 - Fix EZ-Pages Table of Contents links not displaying (if queryCache enabled, such as was added in v1.5.1)
  • CHANGE-352 - Fix attributes controller fatal error after upgrade
  • CHANGE-353 - Fix for password_forgotten generates log file
  • CHANGE-354 - Installer now bypasses APC and other caching mechanisms during zc_install, to prevent confusion caused by caching of files which require alteration.
  • CHANGE-355 - Fix redirect error when product is not General
  • CHANGE-361 - Fix blank page problem caused by clash with output_handler in hosting configuration
  • CHANGE-362 - Fix for template_filename not selecting for admin-initiated emails
  • CHANGE-363 - Trap for constant-not-found errors with badly-configured admin plugins
  • CHANGE-364 - Fix installer error: Failed to initialize storage module: memcache
  • CHANGE-365 - Fix missing noindex,nofollow missing on "forgotten" screen in admin
  • CHANGE-368 - Installer was allowing browser to remember old form data
  • CHANGE-371 - Fix for checkout_shipping creating debug logs when shipping method fails to generate methods
  • CHANGE-378 - Fix for Downloads of virtual products fail when site is Down For Maintenance
  • CHANGE-386 - Fix CURL/SSL Vulnerabilities
  • CHANGE-389 - Fix confusion about password reset message
  • CHANGE-392 - Fix coupon_admin.php contains double <p><p> tag
  • CHANGE-396 - Removed nde-basic.css because it is obsolete since v1.5.0
  • CHANGE-397 - Fix Developers Tool Kit where Line number values in results were off by one
  • CHANGE-398 - Store Manager log purge improvements
  • CHANGE-403 - Fix PayPal EC to prevent use of ImmediatePayment when AuthOnly is selected
  • CHANGE-411 - Increase size of fields in tables for admin profiles
  • CHANGE-413 - Change date/time display format in admin header to be consistent with configured preference
  • CHANGE-416 - Prevent unauthorized information disclosure with editor
  • CHANGE-417 - Fix for issue where email confirmation gets truncated on the < symbol in product names
  • CHANGE-422 - Fix overzealous regex for handling IPv6
  • CHANGE-424 - Fix PayPal Micropayments bug which was preventing non-micro payments from working if micropayments credentials were present
  • CHANGE-425 - Fix for: Deleted ez-pages didn't trigger a 404 not found. Disabled pages were still reachable. Now sends to home page and shows message.
  • CHANGE-429 - Suppress HTML-formatting in PHP error messages, to aid in eliminating accidental posting of private links when requesting help
  • CHANGE-432 - Fix several issues causing warnings in debug logs due to PHP 5.4 compatibility
  • CHANGE-435 - Set reply-to header in admin copy of order-confirmation email - to make for easier replying to customers
  • CHANGE-437 - Set proper exclusion metatags to prevent gv_faq pages from being spidered/indexed
  • CHANGE-442 - Fix HTML id=reviewsContent already defined error in reviews sidebox
  • CHANGE-444 - Fix missing 'echo' and centerboxes in tpl_product_info_noproduct.php
  • CHANGE-446 - Cleanup: Remove duplicate code in update_product.php
  • CHANGE-451 - Fix canonical link handling for cases where the site operates entirely in SSL
  • CHANGE-455 - Improve zen_get_all_get_params to accommodate plugin issues throwing PHP Warning: strlen() expects parameter 1 to be string
  • CHANGE-459 - Fix inconsistencies in some zc_install help text
  • CHANGE-463 - Add insulation to protect against inaccessible products caused by errors in custom-written product types (where mistakenly type=0)
  • CHANGE-464 - Fix PHP warning: Use of undefined constant SUPERUSER_PROFILE ...
  • CHANGE-470 - Fix missing closing table row in /admin/orders.php
  • CHANGE-471 - Fix a couple small logic bugs in table_block.php
  • CHANGE-472 - Improve caching for product-type settings
  • CHANGE-474 - Fix boolean typo on comparison in ot_cod_fee module
  • CHANGE-476 - Fix for zen_mail doesn't always use default template for non-english use
  • CHANGE-478 - Fix Incorrect base_href in admin-sent HTML emails in some configurations
  • CHANGE-484 - Quantities added to cart should adjust to stock rather than just a message
  • CHANGE-487 - a Simplify filesmatch rules in htaccess by adding case-insensitivity flag
  • CHANGE-487 - b Add webm permission to htaccess rules for media-playback and downloadable-files
  • CHANGE-489 - Added additional notifiers to order.php class
  • CHANGE-491 - Improvements to automated timezone detection
  • CHANGE-497 - Improvements to date/time display in admin header
  • CHANGE-498 - Fix proxy-detection support for EXCLUDE_ADMIN_IP_FOR_MAINTENANCE and zen_get_ip_address() vs $_SERVER['REMOTE_ADDR']
  • CHANGE-506 - Fix robots tag in admin pages
  • CHANGE-509 - Fix minor incorrect variable declaration in option_values_manager.php
  • CHANGE-514 - Improve Developers Tool Kit to allow the search of single and double quotes
  • CHANGE-519 - Add more error checking in check_page()
  • CHANGE-520 - Remove inline javascript and tags which may not be stripped correctly in product listings etc
  • CHANGE-521 - Fix error on Incorrect integer value: products_priced_by_attribute
  • CHANGE-526 - Additional notifier to allow additional validation in account_edit page
  • CHANGE-527 - Add configuration-settings-search to Developers Toolkit, credit B.Bellamy,torvista (makes the search_configuration_keys plugin obsolete)
  • CHANGE-528 - Updates to valid cart issues with attributes and changes prior to checkout
  • CHANGE-529 - Fix variable initialization in Shipping Estimator
  • CHANGE-532 - Init system - move navigation history to after init_sanitize
  • CHANGE-544 - phpMailer upgrade
  • CHANGE-545 - Allow countries to be flagged as available/unavailable for shipping (built from a combination of code backported from v2 and a contribution by lat9)
  • CHANGE-546 - Init system - Relocate version constants to the beginning of the autoloader process.
  • CHANGE-547 - Utilities updates - CURLtester update
  • CHANGE-548 - Fix PHP Notice: Only variable references should be returned by reference
  • CHANGE-549 - Fix for PHP Notice: Object of class queryFactoryResult could not be converted to int
  • CHANGE-550 - Fix PHP Notice: Constant ATTRIBUTES_PRICE_FACTOR_FROM_SPECIAL already defined
  • CHANGE-551 - PHP Notice: Undefined index: freeshipper
  • CHANGE-559 - Fix for Shipping Estimator which was causing shipping modules to request quotes twice
  • CHANGE-562 - ironlady github pull request - Add webfont files support to .htaccess whitelist
  • CHANGE-563 - Fix zone misspelling in latin1 encoding. Add translations in utf8 version.
  • CHANGE-564 - docs
  • CHANGE-565 - Incorporate the Fix_Cache_key utility code into ZC Admin core (thus the plugin by the same name is now obsolete)
  • CHANGE-568 - Add storeowner-definable session timeout limit
  • CHANGE-570 - Add notifier hook to provide ability for Admin Activity Logs be exportable to CLFS or other standard format (PA-DSS feature)
  • CHANGE-573 - Rename Email HTML switch setting text and description to be clearer
  • CHANGE-574 - Add strict check to some admin pages to protect against invalid variables created by plugins that don't clean up after themselves, like MagneticOne stuff
  • CHANGE-575 - update spiders.txt
  • CHANGE-580 - torvista pull request 11 - locale addition for Windows servers
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-593 - PayPal - Change to Pending Reason responses, required one table schema change
  • CHANGE-594 - PayPal API changes - July 2013 (A: deprecated some rarely-used parameters)
  • CHANGE-594 - PayPal API changes - July 2013 (B: Updated treatment of currencies which don't support decimal places)
  • CHANGE-595 - Expand locale support for PayPal to perform better matching and to include PayPal's latest updates
  • CHANGE-601 - Relax PA-DSS "strong" password requirements - sql upgrade changes
  • CHANGE-605 - Fix error in PayPal Standard - PHP Fatal error: Using $this when not in object context
  • CHANGE-609 - PR12 - Address formats for Belgium, Netherlands
  • CHANGE-610,614,617 - lat9 $param1 array output reduction in notifier trace
  • CHANGE-611 - Sanitize all known get parameters.
  • CHANGE-612 - Sanitize all known get parameters.
  • CHANGE-616 - For consistency and PHP 5.4 compatibility $_SESSION['shipping'] should always be treated as an array
  • CHANGE-619 - Improve speed of stores with over 10,000 products
  • CHANGE-621 - Set defaults on Developers Toolkit pulldowns to improve ease of use
  • CHANGE-622 - Fix issues with ot-coupon for ship/free combo
  • CHANGE-626 - Fix fresh install error if cache table is damaged or database has no tables
  • CHANGE-632 - Change paypal modules to use /logs/ directory for logging
  • CHANGE-638 - Fix review-text stripping html characters into wrong symbols
  • CHANGE-639 - Fix XSS display problem in back-end preview screen
  • CHANGE-666 - minor typo in option_name.php language file
  • CHANGE-667 - Constant OFFICE_IP_TO_HOST_ADDRESS already set
  • CHANGE-671 - Change default address-format layout for Sweden
  • CHANGE-673 - Remove obsolete ssl-unclean-shutdown hack from admin
  • CHANGE-675 - Update country names to reflect changes in the ISO standards thru end of 2013
  • CHANGE-677 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-678 - Adjust admin banner code to stop triggering a false-positive alert on security scan
  • CHANGE-679 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-681 - Fix admin scenario of mixed content embedded on a page
  • CHANGE-682 - Adjust admin product-music code to stop triggering false-positive on security scan
  • CHANGE-683 - Backport compatibility fix
  • CHANGE-685 - Fix stock reduction problem with checkbox/attribute combinations in cart
  • CHANGE-686 - Changes to ensure output is correctly sanitized even in places protected by authentication requirements
  • CHANGE-689 - zc_install updates
  • CHANGE-690 - Add function to do lookup of latest version of plugins
  • CHANGE-691 - Retire obsolete compatibility functions
  • CHANGE-692 - CURL-force SSL3 on Cardinal connections
  • CHANGE-694 - Stopped admin send-mail page from drawing a huge dropdown list even when a single customer is pre-selected from customers screen
  • CHANGE-696 - Display of Product Categories is unclear and needs better layout
  • CHANGE-697 - Change core config entries to not use config-group-id 0 since many sloppy plugin authors delete those core settings
  • CHANGE-698 - Fix bugs in calls to zenCssButton()
  • CHANGE-706 - Clean up display of "php disabled functions" list in zc_install inspect screen
  • CHANGE-707 - Fix admin url autodetection to accommodate :port suffix in admin urls for local dev setups, and better handle shared-ssl configurations
  • CHANGE-708 - EZ Page Title Tag incorrect (introduced by CHANGE-425)
  • CHANGE-713 - zc_install problem with correctly detecting working dir on shared-SSL servers
  • CHANGE-715 - Fix Attributes Controller not accounting for Tax classes
  • CHANGE-716 - General file formatting and syntax cleanups
  • ISSUE-9 - Fix minor issue with model number display on product_reviews page
  • ISSUE-19 - Fix coupon-admin date check since mktime() doesn't support is_dst param anymore
  • ISSUE-23 - Clean up add to cart when non-numeric value is used and display message
  • ISSUE-51 - Add ability to autoload observer classes without needing to also create auto_loaders scripts
  • ISSUE-52 - Change admin rules to allow pass"phrases" by permitting the use of spaces
  • ISSUE-81 - class.base.php: Initialize static observer
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
  • ISSUE-83 - lat9 requested more notifiers for order-class
  • ISSUE-87 - Fix payment module problem admin-side preventing use of Refund option
  • ISSUE-88 - Fix var assignment operator in ot_gv.php for Calculate Tax
  • ISSUE-89 - Update zenCssButton function and stylesheet to use CSS3 (courtesy of lat9 contribution)
  • ISSUE-90 - Add gTLD support for email addresses (like .marketing or .international)
  • ISSUE-116 - Make admin configure.php "cognizant" of /local subdirectory
  • ISSUE-131 - Change password fields to specify autocomplete=off
  • ISSUE-132 - Clean up some debug logging activity with payment modules
  • ISSUE-133 - Change error messages on password-forgotten screen
  • ISSUE-134 - Fix outputs for locate_configuration in DTK added by recent incorporation of lookup plugin
  • ISSUE-135 - Fix a potential XSS issue on the countries screen
  • ISSUE-136 - Fix frequently-reported scenario where redirect links could be abused to redirect to unverified destinations
  • ISSUE-137 - Add PCI DSS warning to the DB query-logging switch
  • ISSUE-138 - Riddler spider causing performance issues; update spiders.txt list
  • ISSUE-142 - Record Company/Record Artist cannot update language dependant fields
  • ISSUE-143 - Remove (previously commented-out) SecFilter rules from zc_install/.htaccess so aggressive hosting company security systems don't quarantine

To upgrade from v1.5.1 to v1.5.3
Simple: if you are using v1.5.1 already and have not customized any of the files listed in the changed_files-v1-5-2.html and changed_files-v1-5-3.html documents, then simply replace those files with the new versions contained herein.
If you HAVE customized or altered certain files, simply re-do your customizations in the new version of those particular files by making the same changes needed.
If you are using Addons/Plugins that have made alterations to those files, it is best to compare those changed files against the original v1.5.1 files, and see what changes were there ... and then re-build those changes in the v1.5.3 file.
Once you've updated the files, run zc_install to upgrade your database content.

To upgrade to v1.5.3 from v1.3.9h or older
If you are upgrading from a version OLDER than v1.5.1, then please do a standard complete site upgrade:
NOTE: A simplified way of looking at upgrading is explained here:


Many people have asked about the "missing ?> at the end of some PHP files".
This is INTENTIONAL, and explained here:
It is NOT an error in the files or the download.