CVE-2025-9196 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the Trinity Audio – Text to Speech AI audio player plugin for WordPress. This plugin converts website content into audio using AI technology and is widely used to enhance accessibility and user engagement. The vulnerability arises because the plugin creates a file named phpinfo.php located at ~/admin/inc/ during installation. This file exposes detailed PHP configuration information, including environment variables, server settings, and potentially sensitive data such as database credentials or API keys, depending on the server configuration. Crucially, this file is accessible without any authentication or user interaction, allowing unauthenticated attackers to retrieve sensitive configuration data remotely. The vulnerability affects all versions up to and including 5.21.0. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to the ease of access (network vector, no privileges required, no user interaction) but limited impact confined to confidentiality without affecting integrity or availability. No patches or official fixes are currently linked, and no exploits have been reported in the wild, but the presence of sensitive configuration data exposure can facilitate further attacks such as credential theft, privilege escalation, or targeted exploitation of other vulnerabilities. The plugin’s widespread use in WordPress sites that serve European audiences increases the risk profile for organizations relying on this technology for content accessibility.

For European organizations, the exposure of sensitive configuration information can have several impacts. Confidentiality breaches may lead to leakage of database credentials, API keys, or internal server details, enabling attackers to conduct further attacks such as unauthorized access, data exfiltration, or lateral movement within the network. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, face increased compliance risks and potential fines under GDPR if sensitive data is compromised. Additionally, attackers could use the exposed information to craft targeted phishing or social engineering campaigns. The impact is particularly significant for websites that integrate Trinity Audio for accessibility or content delivery, as these sites may be high-profile targets. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of information leakage can be severe, including reputational damage and operational disruptions if follow-on attacks succeed.

Immediate mitigation steps include manually removing or restricting access to the ~/admin/inc/phpinfo.php file created by the plugin. Web administrators should configure web server access controls (e.g., .htaccess rules or equivalent) to deny public access to this file or directory. Monitoring web logs for unauthorized access attempts to phpinfo.php can help detect exploitation attempts. Until an official patch is released, organizations should consider disabling or uninstalling the Trinity Audio plugin if it is not critical to operations. When a patched version becomes available, prompt updating to the fixed release is essential. Additionally, conducting a thorough security review of WordPress plugins and minimizing the use of plugins that expose sensitive information by design is recommended. Implementing web application firewalls (WAFs) with rules to block access to sensitive files can provide an additional layer of defense. Regular security audits and vulnerability scanning should be employed to detect similar issues proactively.