Cyber Resilience

CVE-2025-49049

High

Published: 22 January 2026

Published
22 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0039 30.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-49049 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49049 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the ZoomIt DZS Video Gallery (dzs-videogallery) WordPress plugin. The issue impacts versions from n/a through 12.39 and was published on 2026-01-22. It carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact.

Low-privileged remote attackers (PR:L), such as authenticated WordPress users, can exploit this vulnerability over the network without user interaction. Exploitation enables SQL injection, resulting in high confidentiality impact (C:H) through unauthorized data access, low availability impact (A:L), and scope change (S:C) that may affect other users or resources, though integrity remains unaffected (I:N).

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve) documents the SQL injection vulnerability specifically in DZS Video Gallery plugin version 12.37 and provides details relevant to mitigation for affected WordPress installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SQL injection in public-facing WordPress plugin enables exploitation of a web application for initial access and data exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching and remediation of the SQL injection flaw in DZS Video Gallery plugin versions <=12.39 to eliminate the vulnerability.

prevent

Mandates validation of user inputs to the plugin's SQL commands, directly neutralizing special elements to prevent unauthorized data access via SQL injection.

preventdetect

Deploys web application firewalls or boundary protections to inspect and block malicious SQL injection payloads targeting the vulnerable plugin.

References