A missing authorization check in the Trinity Audio plugin allows an attacker to interact with plugin functions that should be restricted to privileged users. This broken access control vulnerability (CWE-862) can expose sensitive content, modify audio settings, or otherwise compromise the integrity of a WordPress site. Attackers could use the plugin’s exposed features to gain unauthorized access to data or perform actions they should not be allowed to execute.

The vulnerability affects the Trinity Audio plugin distributed by sergiotrinity. Any WordPress installation running a version of the plugin from the original release through 5.23.3 is compromised. Site administrators should identify whether their installations are running these affected versions and plan remediation accordingly.

The CVSS score of 4.3 reflects a low‑to‑moderate risk profile, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, meaning no widely known exploits have been reported. Nonetheless, because the flaw permits unauthorized use of plugin functionality, sites should treat it as a potential threat, particularly if the plugin is exposed to public users. Attacks would likely be carried out remotely via the web interface or REST endpoints provided by the plugin, leveraging the deficient access control.