CVE-2026-1233
Published: 04 April 2026
Summary
CVE-2026-1233 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).
Deeper analysis
CVE-2026-1233 is a sensitive information disclosure vulnerability affecting the Text to Speech for WP (AI Voices by Mementor) plugin for WordPress in all versions up to and including 1.9.8. The issue stems from hardcoded MySQL database credentials embedded in the Mementor_TTS_Remote_Telemetry class, which connect to the vendor's external telemetry server. This flaw, classified under CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.
Unauthenticated attackers can exploit this vulnerability by accessing the plugin's code, extracting the hardcoded credentials, and decoding them to gain unauthorized write access to the vendor's telemetry database. No privileges, user interaction, or special conditions are required, enabling remote exploitation over the network with low complexity.
Mitigation details are available in the referenced advisories: the WordPress plugin trac changeset 3453258 documents the patch addressing the hardcoded credentials, while the Wordfence threat intelligence page provides further vulnerability analysis and recommends updating to a patched version beyond 1.9.8. Security practitioners should scan WordPress sites for the affected plugin and apply updates immediately.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18993
Vulnerability details
The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the…
more
vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials in plugin source code directly enable credential access via T1552.001 (Credentials In Files).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely installation of patches that remove the hardcoded MySQL credentials from the vulnerable plugin, directly eliminating the exposure.
Vulnerability scanning identifies installations of the affected Text to Speech for WP plugin versions up to 1.9.8.
Restricts execution of unauthorized software like the vulnerable WordPress plugin containing hardcoded credentials.