{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9886", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:17:25.991Z", "datePublished": "2025-10-04T03:33:32.003Z", "dateUpdated": "2026-04-08T17:33:20.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:20.120Z"}, "affected": [{"vendor": "sergiotrinity", "product": "Trinity Audio \u2013 Text to Speech AI audio player to convert content into audio", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.20.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Trinity Audio \u2013 Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Trinity Audio <= 5.20.2 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f57d99dc-3faa-4dfc-9cb6-fdb5647daf9a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/trinity-audio/tags/5.20.1/admin/inc/post-management.php#L7"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371934%40trinity-audio&new=3371934%40trinity-audio&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "timeline": [{"time": "2025-09-21T15:23:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T15:58:10.334631Z", "id": "CVE-2025-9886", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:58:38.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9886", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T15:58:10.334631Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:58:31.874Z"}}], "cna": {"title": "Trinity Audio <= 5.20.2 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "sergiotrinity", "product": "Trinity Audio \u2013 Text to Speech AI audio player to convert content into audio", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.20.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-21T15:23:31.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f57d99dc-3faa-4dfc-9cb6-fdb5647daf9a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/trinity-audio/tags/5.20.1/admin/inc/post-management.php#L7"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371934%40trinity-audio&new=3371934%40trinity-audio&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Trinity Audio \u2013 Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:20.120Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9886", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:20.120Z", "dateReserved": "2025-09-02T22:17:25.991Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T03:33:32.003Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Trinity Audio \u2013 Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9886", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-04T04:16:24.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/trinity-audio/tags/5.20.1/admin/inc/post-management.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3371934%40trinity-audio&new=3371934%40trinity-audio&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f57d99dc-3faa-4dfc-9cb6-fdb5647daf9a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:42:44.884916+00:00", "value": {"mitigation_remediation": ["Update the Trinity Audio plugin to the most recent version available from the vendor, ensuring that the post\u2011management endpoint includes proper nonce validation.", "If an immediate update is infeasible, limit access to the post\u2011management functionality to users with appropriate administrative capabilities and enforce verification of a valid CSRF nonce before processing state changes.", "Consider disabling the post\u2011management feature of the plugin entirely or removing the plugin from the site until a supported patch is released.", "Review other WordPress administrative endpoints for missing nonce or CSRF protections and apply appropriate safeguards."], "summary": {"action": "Apply Update", "impact": "Content state modification via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Trinity Audio plugin from the vendor sergiotrinity, for all versions up to and including 5.20.2, are affected. The vulnerability resides in the /admin/inc/post-management.php handler used to change post status.", "description_and_impact": "The Trinity Audio \u2013 Text to Speech AI audio player plugin for WordPress contains a Cross\u2011Site Request Forgery condition created by missing or defective nonce verification in the post\u2011management endpoint. An attacker who conditions an administrator to click a crafted link can thereby cause the administrator to activate or deactivate posts without authorization. The effect is the unauthorized alteration of content visibility or publication status, which can undermine editorial control and lead to misinformation or reputational damage.", "risk_and_exploitability": "The CVSS score of 4.3 denotes medium severity. An EPSS score of less than 1\u202f% indicates a currently low likelihood of exploitation. The vulnerability does not appear in the CISA KEV catalog. Exploitation requires remote social engineering \u2013 the attacker must persuade a site administrator to execute a malicious request, usually by clicking a deceptive link, which then triggers the control flow that changes post status."}}}}, "created": "2025-10-06T14:41:51.029209+00:00", "updated": "2026-04-20T21:45:18.976121+00:00", "vendors": ["sergiotrinity", "sergiotrinity$PRODUCT$trinity_audio", "wordpress", "wordpress$PRODUCT$wordpress"]}