Description
Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue affects ZoomSounds: from n/a through <= 6.91.
Published: 2025-05-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in ZoomSounds permits PHP object injection, enabling an attacker to craft serialized payloads that, when processed, can instantiate arbitrary PHP objects. Based on the description, it is inferred that this flaw can lead to remote code execution, data tampering, or information disclosure. The weakness is identified as CWE-502.

Affected Systems

ZoomIt:ZoomSounds plugin for WordPress versions up to and including 6.91 is impacted. The vulnerability applies to any WordPress site that installs the plugin at v6.91 or earlier; no explicit version gaps are mentioned.

Risk and Exploitability

The CVSS score of 9.8 signals critical severity, and the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that attackers would need to deliver a crafted serialized object to the plugin, likely through a public‑facing endpoint that accepts input, implying remote exploitation is feasible if the plugin processes external data without validation.

Generated by OpenCVE AI on April 30, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ZoomSounds to the latest version beyond 6.91.
  • Inspect the plugin source to ensure no remaining unserialize calls without proper validation.
  • Disable or remove the plugin if an upgrade is not immediately possible.
  • Monitor official advisories and replace the plugin with a secure alternative if critical for the site.

Generated by OpenCVE AI on April 30, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28096 Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91. Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue affects ZoomSounds: from n/a through <= 6.91.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 08 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Digitalzoomstudio
Digitalzoomstudio zoomsounds
CPEs cpe:2.3:a:digitalzoomstudio:zoomsounds:*:*:*:*:*:wordpress:*:*
Vendors & Products Digitalzoomstudio
Digitalzoomstudio zoomsounds

Fri, 23 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91.
Title WordPress ZoomSounds plugin <= 6.91 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Digitalzoomstudio Zoomsounds
Zoomit Zoomsounds
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.989Z

Reserved: 2025-05-07T09:55:20.907Z

Link: CVE-2025-47568

cve-icon Vulnrichment

Updated: 2025-05-23T15:21:18.280Z

cve-icon NVD

Status : Modified

Published: 2025-05-23T13:15:39.973

Modified: 2026-04-23T15:30:30.197

Link: CVE-2025-47568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses