The vulnerability is a deserialization of untrusted data flaw that permits object injection when the DZS Video Gallery plugin processes external input. This flaw is categorized as CWE‑502 and, if successfully exploited, could enable an attacker to execute arbitrary PHP code or modify server state, effectively compromising the integrity and confidentiality of the WordPress installation.

The affected product is the Digital Zoom Studio DZS Video Gallery WordPress plugin, versions up to and including 12.37. All installations of this plugin—even older releases without numeric versioning—are within the scope of the vulnerability, as the issue affects the plugin from its earliest released version through 12.37.

The CVSS score of 9.8 indicates a critical severity level. The EPSS score of less than 1% suggests a low baseline exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely need to interact with the plugin’s administrative or upload interfaces to inject serialized data; detailed exploitation steps are not publicly disclosed. Based on the description, it is inferred that the attack vector involves submitting crafted serialized payloads through those interfaces. While the low EPSS indicates fewer publicly available exploits at the time, the high severity warrants proactive remediation, as the impact of a successful exploit could be catastrophic for the affected WordPress sites.