CVE-2025-49049
Published: 22 January 2026
Summary
CVE-2025-49049 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-49049 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the ZoomIt DZS Video Gallery (dzs-videogallery) WordPress plugin. The issue impacts versions from n/a through 12.39 and was published on 2026-01-22. It carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact.
Low-privileged remote attackers (PR:L), such as authenticated WordPress users, can exploit this vulnerability over the network without user interaction. Exploitation enables SQL injection, resulting in high confidentiality impact (C:H) through unauthorized data access, low availability impact (A:L), and scope change (S:C) that may affect other users or resources, though integrity remains unaffected (I:N).
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve) documents the SQL injection vulnerability specifically in DZS Video Gallery plugin version 12.37 and provides details relevant to mitigation for affected WordPress installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4097
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection in public-facing WordPress plugin enables exploitation of a web application for initial access and data exposure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching and remediation of the SQL injection flaw in DZS Video Gallery plugin versions <=12.39 to eliminate the vulnerability.
Mandates validation of user inputs to the plugin's SQL commands, directly neutralizing special elements to prevent unauthorized data access via SQL injection.
Deploys web application firewalls or boundary protections to inspect and block malicious SQL injection payloads targeting the vulnerable plugin.