Description
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Content state modification via CSRF
Action: Apply Update
AI Analysis

Impact

The Trinity Audio – Text to Speech AI audio player plugin for WordPress contains a Cross‑Site Request Forgery condition created by missing or defective nonce verification in the post‑management endpoint. An attacker who conditions an administrator to click a crafted link can thereby cause the administrator to activate or deactivate posts without authorization. The effect is the unauthorized alteration of content visibility or publication status, which can undermine editorial control and lead to misinformation or reputational damage.

Affected Systems

WordPress installations running the Trinity Audio plugin from the vendor sergiotrinity, for all versions up to and including 5.20.2, are affected. The vulnerability resides in the /admin/inc/post-management.php handler used to change post status.

Risk and Exploitability

The CVSS score of 4.3 denotes medium severity. An EPSS score of less than 1 % indicates a currently low likelihood of exploitation. The vulnerability does not appear in the CISA KEV catalog. Exploitation requires remote social engineering – the attacker must persuade a site administrator to execute a malicious request, usually by clicking a deceptive link, which then triggers the control flow that changes post status.

Generated by OpenCVE AI on April 20, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Trinity Audio plugin to the most recent version available from the vendor, ensuring that the post‑management endpoint includes proper nonce validation.
  • If an immediate update is infeasible, limit access to the post‑management functionality to users with appropriate administrative capabilities and enforce verification of a valid CSRF nonce before processing state changes.
  • Consider disabling the post‑management feature of the plugin entirely or removing the plugin from the site until a supported patch is released.
  • Review other WordPress administrative endpoints for missing nonce or CSRF protections and apply appropriate safeguards.

Generated by OpenCVE AI on April 20, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32404 The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress
Vendors & Products Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Trinity Audio <= 5.20.2 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Sergiotrinity Trinity Audio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:20.120Z

Reserved: 2025-09-02T22:17:25.991Z

Link: CVE-2025-9886

cve-icon Vulnrichment

Updated: 2025-10-06T15:58:31.874Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T04:16:24.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses