Description
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-10-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Trinity Audio – Text to Speech AI audio player plugin for WordPress contains a reflected XSS flaw (CWE‑79) caused by inadequate sanitization of the “range‑date” URL parameter. When the parameter is echoed back without proper encoding, an attacker can embed malicious JavaScript that executes in the victim’s browser whenever a user follows a crafted link. This client‑side code execution can be used for phishing, defacement, or credential theft, and the vulnerability is exploitable by unauthenticated users.

Affected Systems

WordPress sites that have installed the Trinity Audio plugin from the vendor sergiotrinity, specifically versions up to and including 5.20.2, are affected. The flaw exists in all releases of the plugin in that range, independent of the WordPress core version or other plugins.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity reflected XSS. The EPSS score of less than 1% reflects a low probability of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker can trivially create a malicious link containing a crafted “range‑date” value, luring a victim to click it; the injected script runs under the site’s domain, granting the attacker control of the victim’s session or the ability to exfiltrate data.

Generated by OpenCVE AI on April 21, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the Trinity Audio plugin when it becomes available, which is expected to remove the vulnerable "range‑date" handling.
  • Validate and sanitize the 'range-date' parameter on the server side and use proper output encoding before echoing it back to the browser.
  • Apply a strict Content Security Policy that disallows inline scripts and blocks JavaScript execution from URL parameters, or otherwise restrict script execution in the affected pages.

Generated by OpenCVE AI on April 21, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32406 The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress
Vendors & Products Sergiotrinity
Sergiotrinity trinity Audio
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Trinity Audio <= 5.20.2 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sergiotrinity Trinity Audio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:31.893Z

Reserved: 2025-09-03T13:49:23.099Z

Link: CVE-2025-9952

cve-icon Vulnrichment

Updated: 2025-10-06T15:54:01.906Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T04:16:24.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses