Refine your search
1 vulnerability found for Text to Speech – TTSWP by mvirik
CVE-2026-1233 (GCVE-0-2026-1233)
Vulnerability from cvelistv5
Published
2026-04-04 11:16
Modified
2026-04-08 17:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mvirik | Text to Speech – TTSWP |
Version: 0 ≤ 1.9.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:44:47.813176Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:44:58.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Text to Speech \u2013 TTSWP",
"vendor": "mvirik",
"versions": [
{
"lessThanOrEqual": "1.9.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor\u0027s external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor\u0027s telemetry database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:51.949Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dc0b5e-87b9-4831-a92a-bbf6eb1346e2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3453258/text-to-speech-tts"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-03T19:26:31.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-03T22:10:19.000Z",
"value": "Disclosed"
}
],
"title": "Text to Speech (TTS) by Mementor \u003c= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1233",
"datePublished": "2026-04-04T11:16:16.425Z",
"dateReserved": "2026-01-20T15:39:38.386Z",
"dateUpdated": "2026-04-08T17:17:51.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}