CVE-2025-47553
Deserialization Vulnerability in DZS Video Gallery Enables Object Injection
Publication date: 2026-01-06
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dzs | video_gallery | to 12.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47553 is a high-severity PHP Object Injection vulnerability in the WordPress DZS Video Gallery Plugin (up to version 12.25). It allows an attacker with at least subscriber or developer privileges to inject malicious PHP objects, potentially leading to critical attacks such as code injection, SQL injection, path traversal, denial of service, and other exploits if a suitable Property Oriented Programming (POP) chain is available. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized code execution, database compromise through SQL injection, unauthorized file system access via path traversal, denial of service conditions, and other critical exploits. These impacts can compromise the confidentiality, integrity, and availability of your WordPress site and its data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for exploitation attempts targeting the DZS Video Gallery plugin, specifically looking for PHP Object Injection attack patterns. Since the vulnerability requires at least subscriber or developer privileges to be exploited, reviewing logs for suspicious activity involving user privilege escalation or unusual POST requests to the plugin endpoints may help. However, no specific detection commands or signatures are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released. Additionally, restricting user privileges to the minimum necessary and monitoring for suspicious activity are recommended. Since no official fix is available as of the latest information, applying the mitigation rule and hardening access controls are critical to protect affected WordPress sites. [1]