Cyber Resilience

CVE-2026-1233

High

Published: 04 April 2026

Published
04 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 7.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1233 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).

Deeper analysis

CVE-2026-1233 is a sensitive information disclosure vulnerability affecting the Text to Speech for WP (AI Voices by Mementor) plugin for WordPress in all versions up to and including 1.9.8. The issue stems from hardcoded MySQL database credentials embedded in the Mementor_TTS_Remote_Telemetry class, which connect to the vendor's external telemetry server. This flaw, classified under CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.

Unauthenticated attackers can exploit this vulnerability by accessing the plugin's code, extracting the hardcoded credentials, and decoding them to gain unauthorized write access to the vendor's telemetry database. No privileges, user interaction, or special conditions are required, enabling remote exploitation over the network with low complexity.

Mitigation details are available in the referenced advisories: the WordPress plugin trac changeset 3453258 documents the patch addressing the hardcoded credentials, while the Wordfence threat intelligence page provides further vulnerability analysis and recommends updating to a patched version beyond 1.9.8. Security practitioners should scan WordPress sites for the affected plugin and apply updates immediately.

EU & UK References

Vulnerability details

The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the…

more

vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hardcoded credentials in plugin source code directly enable credential access via T1552.001 (Credentials In Files).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55263Shared CWE-798
CVE-2026-48242Shared CWE-798
CVE-2026-42375Shared CWE-798
CVE-2024-50688Shared CWE-798
CVE-2026-32138Shared CWE-798
CVE-2026-48241Shared CWE-798
CVE-2025-14115Shared CWE-798
CVE-2026-42372Shared CWE-798
CVE-2024-55027Shared CWE-798
CVE-2026-26334Shared CWE-798

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of patches that remove the hardcoded MySQL credentials from the vulnerable plugin, directly eliminating the exposure.

detect

Vulnerability scanning identifies installations of the affected Text to Speech for WP plugin versions up to 1.9.8.

prevent

Restricts execution of unauthorized software like the vulnerable WordPress plugin containing hardcoded credentials.

References