The Trinity Audio plugin for WordPress contains a missing authorization flaw that allows attackers to bypass intended access restrictions and perform actions that should be limited to privileged users. The weakness, identified as CWE‑862, means that any user who can reach the plugin’s endpoints may gain the ability to trigger restricted operations, potentially exposing sensitive audio data or modifying plugin behavior. The overall severity, as reflected by a CVSS score of 4.3, indicates a moderate risk that could impact confidentiality and integrity if exploited.

All installations of the Trinity Audio plugin up to and including version 5.20.0 are affected. This includes every instance of the plugin deployed on WordPress sites, regardless of the site’s overall security posture or the number of users.

The EPSS score of less than 1% suggests that exploit activity is relatively unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires the attacker to have network access to the WordPress site and the ability to send HTTP requests to the plugin’s endpoints; no authentication is required to reach the vulnerable functionality. If proper authorization checks are missing, a remote attacker could achieve unauthorized access to configuration or content functions, potentially leading to data disclosure, modification, or other unintended behavior.