CVE-2025-47552

CRITICAL
2026-01-07 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 07, 2026 - 13:15 nvd
CRITICAL 9.8

Tags

Zoom Deserialization

Description

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37.

Analysis

DZS Video Gallery WordPress plugin (through 12.37) is vulnerable to PHP object injection through insecure deserialization. An unauthenticated attacker can inject arbitrary PHP objects, potentially achieving code execution through POP chains.

Technical Context

The plugin deserializes untrusted user input (CWE-502), allowing injection of arbitrary PHP objects. If a suitable POP (Property Oriented Programming) chain exists in WordPress core or installed plugins, this can be escalated to remote code execution.

Affected Products

DZS Video Gallery WordPress plugin through 12.37

Remediation

Remove or update DZS Video Gallery. Consider using patchstack or similar for WordPress vulnerability protection.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-47552 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy