Attack Vectors

The DZS Video Gallery WordPress plugin (versions below 7.95) has a Medium-severity vulnerability (CVSS 5.3) that can be triggered remotely over the internet.

Based on the published details, the issue can be exploited by an unauthenticated attacker (no login required) and does not require user interaction, enabling attempts to retrieve local or remote files with a .swf extension.

Security Weakness

This is a limited Local/Remote File Inclusion (LFI/RFI) weakness in DZS Video Gallery affecting versions up to, but not including, 7.95. In practical terms, a vulnerable site may allow an attacker to request files through the plugin in ways the site owner did not intend.

The published advisory notes the exposure is limited to retrieving files with a .swf extension, but it is still categorized as a security issue because it can enable unauthorized access to files and information disclosure.

Technical or Business Impacts

The primary risk is information disclosure (confidentiality impact is rated Low in the CVSS vector). Even limited file retrieval can create business risk if it exposes internal resources, legacy media, or other assets that should not be publicly accessible.

For marketing and executive stakeholders, the business impacts can include: increased risk of data exposure, potential brand damage if unauthorized content is accessed or shared publicly, and possible compliance concerns if any accessible files relate to regulated data or internal-only materials. From a governance standpoint, this also raises audit questions about patch cadence and third-party plugin oversight.

Recommended action: update DZS Video Gallery to version 7.95 or a newer patched version, per the vendor/community guidance.

Similar Attacks

File inclusion and file disclosure weaknesses are commonly used as stepping stones for broader compromise. While the mechanics vary by product, the business lesson is consistent: small “read-only” gaps can still create meaningful exposure.

Examples of widely reported file disclosure/path traversal incidents include:

• Apache HTTP Server 2.4.49 path traversal and file disclosure (CVE-2021-41773)
• Atlassian Confluence path traversal / file read exposure chain (CVE-2019-3396)

Reference: Wordfence vulnerability entry for DZS Video Gallery (source).