Description
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
Published: 2025-10-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch
AI Analysis

Impact

The Trinity Audio WordPress plugin includes an inc/phpinfo.php file that is created during installation and is improperly exposed. This file allows an external user to view internal configuration data. The vulnerability enables an unauthenticated attacker to retrieve sensitive configuration information without performing further exploitation. It falls under CWE-200 and can compromise confidentiality of site settings.

Affected Systems

All WordPress installations using Trinity Audio 5.21.0 or earlier are affected. The vendor is sergiotrinity; the product is the Trinity Audio – Text to Speech AI audio player plugin. No specific patch version details are listed in the dataset, but only versions that include the vulnerable phpinfo file need remediation.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score is less than 1%, suggesting that exploitation is currently uncommon. The vulnerability is not present in CISA’s KEV list. Attackers can exploit it by simply accessing the exposed phpinfo.php file via HTTP, without authentication or additional privileges.

Generated by OpenCVE AI on April 21, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Trinity Audio plugin to the latest version that removes or protects the phpinfo.php file.
  • If upgrading is delayed, delete or rename the admin/inc/phpinfo.php file from the server to eliminate the exposed endpoint.
  • Configure the web server or .htaccess rules to block unauthenticated access to the phpinfo.php file or any directory containing sensitive PHP files.

Generated by OpenCVE AI on April 21, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress
Vendors & Products Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
Title Trinity Audio <= 5.21.0 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sergiotrinity Trinity Audio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:35.876Z

Reserved: 2025-08-19T17:17:55.890Z

Link: CVE-2025-9196

cve-icon Vulnrichment

Updated: 2025-10-14T13:31:25.815Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T08:15:32.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses