CVE-2025-9196 in Trinity Audio Plugin
Summary
by MITRE • 10/11/2025
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/12/2025
The Trinity Audio – Text to Speech AI audio player plugin for WordPress presents a critical security vulnerability classified as sensitive information exposure affecting all versions through 5.21.0. This vulnerability stems from the unauthorized creation of a phpinfo.php file during the plugin installation process, which remains accessible to unauthenticated attackers. The flaw represents a significant security oversight that directly violates security best practices for plugin development and deployment within the WordPress ecosystem.
The technical implementation of this vulnerability occurs through the automatic generation of a phpinfo.php file within the plugin's administrative directory structure at ~/admin/inc/phpinfo.php. This file contains comprehensive server configuration details including php settings, loaded extensions, environment variables, and potentially sensitive system information. The vulnerability exists because the plugin fails to properly secure this diagnostic file or remove it after installation, creating an unintended attack surface that exposes critical system information to any user who can access the WordPress admin directory structure.
From an operational impact perspective, this vulnerability enables attackers to gather extensive information about the target WordPress installation and underlying server configuration. The exposed data may include database connection details, server paths, php configuration settings, and other sensitive information that could facilitate further exploitation attempts. According to the CWE database, this represents a CWE-200: Information Exposure vulnerability where system information is inadvertently made available to unauthorized users, potentially enabling more sophisticated attacks such as privilege escalation or targeted exploitation of other system components.
The attack surface is particularly concerning as it requires no authentication to exploit, making it an attractive target for automated scanning tools and malicious actors seeking to gather intelligence about WordPress installations. This vulnerability directly aligns with ATT&CK technique T1213.002: Data from Information Repositories, where adversaries collect system information to understand the environment they are targeting. The exposed phpinfo output can reveal critical details about the server environment that attackers can leverage to plan more effective attacks against the WordPress installation or the underlying infrastructure.
Organizations should immediately implement mitigation strategies including removing the vulnerable phpinfo.php file, ensuring proper file permissions are set on plugin directories, and conducting thorough security audits of installed plugins. The recommended approach involves verifying that no phpinfo.php files exist in the plugin directories and implementing proper access controls to prevent unauthorized file access. Additionally, administrators should consider implementing web application firewalls to block access to suspicious file paths and regularly monitor for unauthorized file creation within WordPress directories to prevent similar vulnerabilities from being exploited in the future.