Home

Description

The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.

PUBLISHED Reserved 2026-01-20 | Published 2026-04-04 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unaffected

Any version
affected

Timeline

2026-01-08:Discovered
2026-02-03:Vendor Notified
2026-04-03:Disclosed

Credits

Kazuma Matsumoto finder

References

www.wordfence.com/...-87b9-4831-a92a-bbf6eb1346e2?source=cve

plugins.trac.wordpress.org/...set/3453258/text-to-speech-tts

cve.org (CVE-2026-1233)

nvd.nist.gov (CVE-2026-1233)

Download JSON