Hosting Zen Cart

Zen Cart

Zen Cart is an open source e-commerce shopping cart application. Zen Cart forked from osCommerce in 2003.

1 click installation Zen Cart

1 click installation

Easy update Zen Cart

Easy update

Backup and restoration Zen Cart

Backup and restoration


e-Commerce and Business
Current version
Last update
20 March 2016
English , Nederlands (Dutch)

System Requirements

Installation size
22 MB
open source
What's new


(major version)
20 March 2016 - 22MB
  • All known v1.5.4 bugfixes and security fixes are included in v1.5.5, including tighter control around XSS as well as clickjacking
  • Template: The default out-of-the-box template (called "Responsive Classic") is now a mobile-friendly responsive-design theme built for flexibility with tablets, mobile devices, and desktops.
  • Template: The core template_default files have been reviewed for HTML5 compliance, and a number of classes and IDs have been added to move older styling to CSS instead. Specific input-types like email/telephone for easier use on mobiles
  • Admin: Admin menu improvements to help it fit tablet screens better
  • Admin: Added customer-password reset via Admin
  • Admin: Products Price Manager: Added display of taxes into prices
  • Admin: Improvements to developers-toolkit and whos-online
  • SEO: Numerous updates to canonical-url handling
  • SEO: Added hreflang markup for better indexing of multilingual sites, and other HTML page-header metatag improvements
  • Checkout: Order Details added to Checkout-Success page
  • Payment: PayPal Express Checkout has numerous updated compatibilities added, including their latest InContext mobile support
  • Payment: Added SagePay Form payment module (for hosted offsite PCI compliant credit card processing)
  • Payment: Added First Data Hosted Checkout Payment Pages (Global Gateway e4) module (for hosted offsite PCI compliant credit card processing)
  • Payment: Retired obsolete Linkpoint_API payment module (replaced by the new Payeezy JS module)
  • Payment: Added Payeezy JS (First Data/Global Gateway e4) Payment module (for onsite PCI compliant credit card processing)
  • Core: Added PHP 7.0 compatibility
  • Core: Added MySQL 5.7 compatibility
  • Core: Improved error-logging for troubleshooting (included @lat9's debug-backtrace mod)
  • Core: Improved/simplified code for db query handling, allowing simple foreach() iterations instead of requiring while(!EOF) loops,
  • Core: Added hooks to allow for 3rd-party-handling of taxes, for plugin support with orders, attributes, and much more
  • Core: Fix some rounding errors
  • Core: Added cron code for automated currency-updating, and currency sources can be selected from Admin->Config->My Store menu, and plugins can auto-show in this list
  • Core: Fixed bug with a race condition causing database errors related to sessions
  • Core: Simplified the configure.php file contents significantly by retaining only the most-often-customized components, and added an automatic-converter as part of zc_install's initial inspection
  • Email: Integrated @lat9's "common CSS styling" for HTML emails
  • Email: Added newer phpMailer integration (better compatibility with more email services), and email-failure errors are logged to /logs/ for easier debugging if problems occur
  • Some language-file cleanups
  • Improved compatibility for payment/shipping modules and SSL/TLS to work with the 2016 SHA-256 Secure Server initiatives being embraced by modern hosting companies and PCI Compliance
  • Rewrote zc_install - fresh new look, will make future internal maintenance easier
  • Replaced phpBB integration with generic hooks to allow for various external forums
  • Security patches for alerts provided from various security watchdog sites
  • Numerous other small improvements to make things work faster, sleeker, smarter and be easier to use

Read more:


(major version)
31 December 2014 - 22MBImprovements
  • CHANGE-714 - Add progressive-enhancement to checkout flow for PCI compliance when card details collected onsite (added ajax infrastructure, and jQuery)
  • Fix #209 - POODLE protection - Remove SSLv3 mode, to allow autonegotiation

Bugfixes and feature updates
  • CHANGE-724 - Fix init_cache_key_check.php redirect loop which occurred when the user deletes the /cache/ folder
  • CHANGE-423 - PayPal Express Checkout - recover funding failure (10486) with "retry" if card is declined
  • CHANGE-725 - Authorizenet SIM module now hashes x_currency_code
  • CHANGE-730 - Linkpoint CURL SSL bug triggers PHP Warning: Illegal string offset
  • CHANGE-731 - Update SIM and AIM to add support for AUD,NZD currencies (now supports USD CAD GBP EUR AUD NZD)
  • CHANGE-732 - Update SIM and AIM to set defaults for merchant accounts capable of doing POS and Web transactions in one account
  • CHANGE-733 - Store-pickup module not activating properly for zone restrictions
  • CHANGE-311 - Data sanity check in admin/customers.php
  • CHANGE-709 - Refactor logging infrastructure
  • CHANGE-735 - Fix CSRF in admin profiles for action=delete
  • CHANGE-736 - Fix CSRF in layout_controllers for action=reset_defaults
  • CHANGE-737 - Replace hard-coded language text in /admin/orders.php
  • Fix #136 - Error in html syntax in admin_activity and CSS comment syntax in who's online
  • Fix #152 - Page not found when incorrect EZPage link remove status
  • Fix #188 - Remove code comment causing false-positive in security scan
  • Fix #210 - Fix code dealing with apostrophes in filenames
  • Fix #215 - Added additional common destinations to curltester script
  • Fix #221 - Fix Discount Coupon and Shipping Cost
  • Fix #246 - Fix errors about passwords during zc_install upgrade
  • ISSUE-82 - (continuation of) Fix odd PHP quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
  • Optimizations and improvements to various database queries
  • Fix queries in class.phpbb.php
  • Fix fmod_round and shopping_cart using (int) on quantity
  • Backported a PHP 5.4 fix to attributes_controller
  • zc_install - Fix email validation in zc_install to allow for new domain name TLDs
  • Fix override of mexico addresses with paypal pro
  • Substitute gethostname for shell_exec since some hosts disable shell_exec

Read more:


(major version)
7 July 2014 - 22MBImprovements:
  • CHANGE-511 - Change DB functions from mysql to mysqli
  • CHANGE-89 - Convert to bcrypt for password security hashing (requires PHP 5.3.7 or newer)
  • CHANGE-491 - Timezone patch for PHP 5.3/5.4/5.5 (this makes the "timezone offset" plugin obsolete)
  • CHANGE-566 - Add Admin switch to relax PA-DSS "strong" password requirements when in Demo mode
  • CHANGE-543 - Updates for PHP 5.5 Compatibility; Verified PHP 5.6-beta compatibility
  • CHANGE-432 - Numerous fixes for stricter PHP 5.4 compatibility
  • CHANGE-350 - Improvements to queryFactory to better support sql caching
  • CHANGE-359 - Add advanced developer tool for Notifier Trace and a global eventID
  • CHANGE-412 - Increase length of session key field due to changes in PHP defaults
  • CHANGE-421 - Update modules to support CAD and UK currencies
  • CHANGE-427 - Fix Memory Leak with PHP 5.3/5.4
  • CHANGE-434 - Add additional SSL detection checks to accommodate more poorly configured hosting companies
  • CHANGE-450 - Switch to SSL for contact-us form (when SSL is enabled)
  • CHANGE-452 - Add multiple-language and multiple-location support to the Store Pickup shipping module
  • CHANGE-454 - Made low-stock emails interceptable by notifier/observer
  • CHANGE-524 - Fix SaleMaker issues on Discount Quantity
  • ISSUE-54 - Session handling improvements
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant

Bugfixes and feature updates:
  • CHANGE-196 - Fix issue with Store-pickup module vs taxes
  • CHANGE-206 - Fix admin profiles code to also manage product types
  • CHANGE-225 - Handle use of comma as decimal point for Gift Voucher
  • CHANGE-235 - Fix for create_account_success doesn't honor session timeout
  • CHANGE-274 - Installer improvement - alert if new version available at install time
  • CHANGE-309 - Changes to avoid spam flags on Admin Emails about payment/shipping modules, and prevent autoresponder replies to newsletters and contact-us emails
  • CHANGE-311 - Data sanity check in customer login and admin customer mgmt to handle missing records resulting from bad imports or damaged data
  • CHANGE-315 - Performance tuning with .htaccess tweaks
  • CHANGE-323 - Fix rounding error with attributes and salemaker
  • CHANGE-332 - Update PayPal WPS to prevent mistakenly entering localized country domain for accessing PayPal services (per PayPal change Q3-2012)
  • CHANGE-341 - Updates to observer/notifier code to better support legacy procedural code
  • CHANGE-343 - Fix various language wording and dist-configure examples vis a vis the logs foldername
  • CHANGE-345 - Fix typo in whos_online legend
  • CHANGE-346 - Fix outdated language in configuration menu help texts, mainly around the name of the logs folder
  • CHANGE-347 - Fix TRY currency in paypal modules
  • CHANGE-348 - Fix Secunia advisory SA50574 - XSS in admin login.php
  • CHANGE-351 - Fix EZ-Pages Table of Contents links not displaying (if queryCache enabled, such as was added in v1.5.1)
  • CHANGE-352 - Fix attributes controller fatal error after upgrade
  • CHANGE-353 - Fix for password_forgotten generates log file
  • CHANGE-354 - Installer now bypasses APC and other caching mechanisms during zc_install, to prevent confusion caused by caching of files which require alteration.
  • CHANGE-355 - Fix redirect error when product is not General
  • CHANGE-361 - Fix blank page problem caused by clash with output_handler in hosting configuration
  • CHANGE-362 - Fix for template_filename not selecting for admin-initiated emails
  • CHANGE-363 - Trap for constant-not-found errors with badly-configured admin plugins
  • CHANGE-364 - Fix installer error: Failed to initialize storage module: memcache
  • CHANGE-365 - Fix missing noindex,nofollow missing on "forgotten" screen in admin
  • CHANGE-368 - Installer was allowing browser to remember old form data
  • CHANGE-371 - Fix for checkout_shipping creating debug logs when shipping method fails to generate methods
  • CHANGE-378 - Fix for Downloads of virtual products fail when site is Down For Maintenance
  • CHANGE-386 - Fix CURL/SSL Vulnerabilities
  • CHANGE-389 - Fix confusion about password reset message
  • CHANGE-392 - Fix coupon_admin.php contains double 'p' tag
  • CHANGE-396 - Removed nde-basic.css because it is obsolete since v1.5.0
  • CHANGE-397 - Fix Developers Tool Kit where Line number values in results were off by one
  • CHANGE-398 - Store Manager log purge improvements
  • CHANGE-403 - Fix PayPal EC to prevent use of ImmediatePayment when AuthOnly is selected
  • CHANGE-411 - Increase size of fields in tables for admin profiles
  • CHANGE-413 - Change date/time display format in admin header to be consistent with configured preference
  • CHANGE-416 - Prevent unauthorized information disclosure with editor
  • CHANGE-417 - Fix for issue where email confirmation gets truncated on the less-than symbol in product names
  • CHANGE-422 - Fix overzealous regex for handling IPv6
  • CHANGE-424 - Fix PayPal Micropayments bug which was preventing non-micro payments from working if micropayments credentials were present
  • CHANGE-425 - Fix for: Deleted ez-pages didn't trigger a 404 not found. Disabled pages were still reachable. Now sends to home page and shows message.
  • CHANGE-429 - Suppress HTML-formatting in PHP error messages, to aid in eliminating accidental posting of private links when requesting help
  • CHANGE-432 - Fix several issues causing warnings in debug logs due to PHP 5.4 compatibility
  • CHANGE-435 - Set reply-to header in admin copy of order-confirmation email - to make for easier replying to customers
  • CHANGE-437 - Set proper exclusion metatags to prevent gv_faq pages from being spidered/indexed
  • CHANGE-442 - Fix HTML id=reviewsContent already defined error in reviews sidebox
  • CHANGE-444 - Fix missing 'echo' and centerboxes in tpl_product_info_noproduct.php
  • CHANGE-446 - Cleanup: Remove duplicate code in update_product.php
  • CHANGE-451 - Fix canonical link handling for cases where the site operates entirely in SSL
  • CHANGE-455 - Improve zen_get_all_get_params to accommodate plugin issues throwing PHP Warning: strlen() expects parameter 1 to be string
  • CHANGE-459 - Fix inconsistencies in some zc_install help text
  • CHANGE-463 - Add insulation to protect against inaccessible products caused by errors in custom-written product types (where mistakenly type=0)
  • CHANGE-464 - Fix PHP warning: Use of undefined constant SUPERUSER_PROFILE ...
  • CHANGE-470 - Fix missing closing table row in /admin/orders.php
  • CHANGE-471 - Fix a couple small logic bugs in table_block.php
  • CHANGE-472 - Improve caching for product-type settings
  • CHANGE-474 - Fix boolean typo on comparison in ot_cod_fee module
  • CHANGE-476 - Fix for zen_mail doesn't always use default template for non-english use
  • CHANGE-478 - Fix Incorrect base_href in admin-sent HTML emails in some configurations
  • CHANGE-484 - Quantities added to cart should adjust to stock rather than just a message
  • CHANGE-487 - a Simplify filesmatch rules in htaccess by adding case-insensitivity flag
  • CHANGE-487 - b Add webm permission to htaccess rules for media-playback and downloadable-files
  • CHANGE-489 - Added additional notifiers to order.php class
  • CHANGE-491 - Improvements to automated timezone detection
  • CHANGE-497 - Improvements to date/time display in admin header
  • CHANGE-498 - Fix proxy-detection support for EXCLUDE_ADMIN_IP_FOR_MAINTENANCE and zen_get_ip_address() vs $_SERVER['REMOTE_ADDR']
  • CHANGE-506 - Fix robots tag in admin pages
  • CHANGE-509 - Fix minor incorrect variable declaration in option_values_manager.php
  • CHANGE-514 - Improve Developers Tool Kit to allow the search of single and double quotes
  • CHANGE-519 - Add more error checking in check_page()
  • CHANGE-520 - Remove inline javascript and tags which may not be stripped correctly in product listings etc
  • CHANGE-521 - Fix error on Incorrect integer value: products_priced_by_attribute
  • CHANGE-526 - Additional notifier to allow additional validation in account_edit page
  • CHANGE-527 - Add configuration-settings-search to Developers Toolkit, credit B.Bellamy,torvista (makes the search_configuration_keys plugin obsolete)
  • CHANGE-528 - Updates to valid cart issues with attributes and changes prior to checkout
  • CHANGE-529 - Fix variable initialization in Shipping Estimator
  • CHANGE-532 - Init system - move navigation history to after init_sanitize
  • CHANGE-544 - phpMailer upgrade
  • CHANGE-545 - Allow countries to be flagged as available/unavailable for shipping (built from a combination of code backported from v2 and a contribution by lat9)
  • CHANGE-546 - Init system - Relocate version constants to the beginning of the autoloader process.
  • CHANGE-547 - Utilities updates - CURLtester update
  • CHANGE-548 - Fix PHP Notice: Only variable references should be returned by reference
  • CHANGE-549 - Fix for PHP Notice: Object of class queryFactoryResult could not be converted to int
  • CHANGE-550 - Fix PHP Notice: Constant ATTRIBUTES_PRICE_FACTOR_FROM_SPECIAL already defined
  • CHANGE-551 - PHP Notice: Undefined index: freeshipper
  • CHANGE-559 - Fix for Shipping Estimator which was causing shipping modules to request quotes twice
  • CHANGE-562 - ironlady github pull request - Add webfont files support to .htaccess whitelist
  • CHANGE-563 - Fix zone misspelling in latin1 encoding. Add translations in utf8 version.
  • CHANGE-564 - docs
  • CHANGE-565 - Incorporate the Fix_Cache_key utility code into ZC Admin core (thus the plugin by the same name is now obsolete)
  • CHANGE-568 - Add storeowner-definable session timeout limit
  • CHANGE-570 - Add notifier hook to provide ability for Admin Activity Logs be exportable to CLFS or other standard format (PA-DSS feature)
  • CHANGE-573 - Rename Email HTML switch setting text and description to be clearer
  • CHANGE-574 - Add strict check to some admin pages to protect against invalid variables created by plugins that don't clean up after themselves, like MagneticOne stuff
  • CHANGE-575 - update spiders.txt
  • CHANGE-580 - torvista pull request 11 - locale addition for Windows servers
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-593 - PayPal - Change to Pending Reason responses, required one table schema change
  • CHANGE-594 - PayPal API changes - July 2013 (A: deprecated some rarely-used parameters)
  • CHANGE-594 - PayPal API changes - July 2013 (B: Updated treatment of currencies which don't support decimal places)
  • CHANGE-595 - Expand locale support for PayPal to perform better matching and to include PayPal's latest updates
  • CHANGE-601 - Relax PA-DSS "strong" password requirements - sql upgrade changes
  • CHANGE-605 - Fix error in PayPal Standard - PHP Fatal error: Using $this when not in object context
  • CHANGE-609 - PR12 - Address formats for Belgium, Netherlands
  • CHANGE-610,614,617 - lat9 $param1 array output reduction in notifier trace
  • CHANGE-611 - Sanitize all known get parameters.
  • CHANGE-612 - Sanitize all known get parameters.
  • CHANGE-616 - For consistency and PHP 5.4 compatibility $_SESSION['shipping'] should always be treated as an array
  • CHANGE-619 - Improve speed of stores with over 10,000 products
  • CHANGE-621 - Set defaults on Developers Toolkit pulldowns to improve ease of use
  • CHANGE-622 - Fix issues with ot-coupon for ship/free combo
  • CHANGE-626 - Fix fresh install error if cache table is damaged or database has no tables
  • CHANGE-632 - Change paypal modules to use /logs/ directory for logging
  • CHANGE-638 - Fix review-text stripping html characters into wrong symbols
  • CHANGE-639 - Fix XSS display problem in back-end preview screen
  • CHANGE-666 - minor typo in option_name.php language file
  • CHANGE-667 - Constant OFFICE_IP_TO_HOST_ADDRESS already set
  • CHANGE-671 - Change default address-format layout for Sweden
  • CHANGE-673 - Remove obsolete ssl-unclean-shutdown hack from admin
  • CHANGE-675 - Update country names to reflect changes in the ISO standards thru end of 2013
  • CHANGE-677 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-678 - Adjust admin banner code to stop triggering a false-positive alert on security scan
  • CHANGE-679 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-681 - Fix admin scenario of mixed content embedded on a page
  • CHANGE-682 - Adjust admin product-music code to stop triggering false-positive on security scan
  • CHANGE-683 - Backport compatibility fix
  • CHANGE-685 - Fix stock reduction problem with checkbox/attribute combinations in cart
  • CHANGE-686 - Changes to ensure output is correctly sanitized even in places protected by authentication requirements
  • CHANGE-689 - zc_install updates
  • CHANGE-690 - Add function to do lookup of latest version of plugins
  • CHANGE-691 - Retire obsolete compatibility functions
  • CHANGE-692 - CURL-force SSL3 on Cardinal connections
  • CHANGE-694 - Stopped admin send-mail page from drawing a huge dropdown list even when a single customer is pre-selected from customers screen
  • CHANGE-696 - Display of Product Categories is unclear and needs better layout
  • CHANGE-697 - Change core config entries to not use config-group-id 0 since many sloppy plugin authors delete those core settings
  • CHANGE-698 - Fix bugs in calls to zenCssButton()
  • CHANGE-706 - Clean up display of "php disabled functions" list in zc_install inspect screen
  • CHANGE-707 - Fix admin url autodetection to accommodate :port suffix in admin urls for local dev setups, and better handle shared-ssl configurations
  • CHANGE-708 - EZ Page Title Tag incorrect (introduced by CHANGE-425)
  • CHANGE-713 - zc_install problem with correctly detecting working dir on shared-SSL servers
  • CHANGE-715 - Fix Attributes Controller not accounting for Tax classes
  • CHANGE-716 - General file formatting and syntax cleanups
  • ISSUE-9 - Fix minor issue with model number display on product_reviews page
  • ISSUE-19 - Fix coupon-admin date check since mktime() doesn't support is_dst param anymore
  • ISSUE-23 - Clean up add to cart when non-numeric value is used and display message
  • ISSUE-51 - Add ability to autoload observer classes without needing to also create auto_loaders scripts
  • ISSUE-52 - Change admin rules to allow pass"phrases" by permitting the use of spaces
  • ISSUE-81 - class.base.php: Initialize static observer
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
  • ISSUE-83 - lat9 requested more notifiers for order-class
  • ISSUE-87 - Fix payment module problem admin-side preventing use of Refund option
  • ISSUE-88 - Fix var assignment operator in ot_gv.php for Calculate Tax
  • ISSUE-89 - Update zenCssButton function and stylesheet to use CSS3 (courtesy of lat9 contribution)
  • ISSUE-90 - Add gTLD support for email addresses (like .marketing or .international)
  • ISSUE-116 - Make admin configure.php "cognizant" of /local subdirectory
  • ISSUE-131 - Change password fields to specify autocomplete=off
  • ISSUE-132 - Clean up some debug logging activity with payment modules
  • ISSUE-133 - Change error messages on password-forgotten screen
  • ISSUE-134 - Fix outputs for locate_configuration in DTK added by recent incorporation of lookup plugin
  • ISSUE-135 - Fix a potential XSS issue on the countries screen
  • ISSUE-136 - Fix frequently-reported scenario where redirect links could be abused to redirect to unverified destinations
  • ISSUE-137 - Add PCI DSS warning to the DB query-logging switch
  • ISSUE-138 - Riddler spider causing performance issues; update spiders.txt list
  • ISSUE-142 - Record Company/Record Artist cannot update language dependant fields
  • ISSUE-143 - Remove (previously commented-out) SecFilter rules from zc_install/.htaccess so aggressive hosting company security systems don't quarantine

Read more:


18 September 2012 - 22MB


(major version)
30 December 2011 - 22MB

Our Web hostings are compatible with
Zen Cart


Only the Web hosting

100% SSD Web Hosting
100 GB and +
Multisite management
Free SSL certificates
Anti-DDoS protection
10 GB of VOD

Learn more

from 5.75 € / month


The complete Web+Mail offer

100% SSD Web Hosting
100 GB and +
Multisite management
Free SSL certificates
Anti-DDoS protection
10 GB of VOD

Professional messaging
25 email addresses with unlimited storage

Online messaging
Instant messaging
Syncing contacts and calendars

Learn more

from 7.42 € / month

Cloud Server


100% SSD Web Hosting
100 GB and +
Multisite management
Free SSL certificates
Anti-DDoS protection
10 GB of VOD

2 CPU and +
6 Gb (RAM) and +
100% SSD
100% dedicated resources

Infomaniak manages your server

Learn more

from 29 € / month

Prices in EUR incl. tax