CVE-2025-9196 Scanner
CVE-2025-9196 Scanner - Information Disclosure vulnerability in Trinity Audio Plugin for WordPress
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 15 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
The Trinity Audio Plugin for WordPress is a widely used tool among web developers and content creators seeking to convert written content into an audio format. Utilized in various environments, this plugin allows websites to offer an enhanced user experience by enabling text-to-speech functionalities. The plugin is applicable across numerous sectors, including e-learning platforms, online publishers, and media outlets. Its integration into WordPress makes it a convenient choice for users seeking seamless audio conversion solutions on their websites. However, vulnerabilities in such plugins can pose significant risks if unaddressed and exploited by malicious actors.
The vulnerability associated with the Trinity Audio Plugin pertains to information disclosure, a prevalent security concern that could lead to unauthorized access to sensitive data. Specifically, an exposure in the plugin's code allows attackers to extract configuration data without requiring authentication. The improper access control stems from a publicly accessible PHP file that reveals information about the system's environment. This type of vulnerability can also serve as an entry point for further attacks targeting the affected platform.
The Trinity Audio Plugin vulnerability exists in the PHP script contained in the admin/inc/phpinfo.php' file, which is publicly accessible upon installation. The file inadvertently discloses crucial server configuration details, including PHP version and installed extensions. Since the vulnerability is present in versions up to and including 5.21.0, attackers can exploit this oversight to gather information about the server's environment and configuration. This exposure is a result of insufficient access controls on sensitive administrative files.
Exploiting this vulnerability could allow an attacker to gather confidential configuration data, which may include database credentials and API keys. Possessing such data, an attacker could compromise additional systems or components of the affected website, expanding their control and foothold within the target environment. The effect of such an attack could include data breaches, service disruptions, or unauthorized access to user data.
REFERENCES
