CVE-2025-9196 Overview
CVE-2025-9196 affects the Trinity Audio – Text to Speech AI audio player plugin for WordPress. The plugin is vulnerable to Sensitive Information Exposure in all versions up to and including 5.21.0. The issue stems from a ~/admin/inc/phpinfo.php file created during plugin installation. Unauthenticated attackers can request this file remotely to extract configuration data and other sensitive server information. The weakness is tracked as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Remote unauthenticated attackers can retrieve PHP configuration details, environment variables, loaded modules, and file paths that assist follow-on attacks against the WordPress site.
Affected Products
- Trinity Audio – Text to Speech AI audio player WordPress plugin, all versions through 5.21.0
- WordPress sites hosting the vulnerable plugin
- PHP environments where phpinfo() output reveals server configuration
Discovery Timeline
- 2025-10-11 - CVE-2025-9196 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9196
Vulnerability Analysis
The Trinity Audio plugin ships a diagnostic file at ~/admin/inc/phpinfo.php that is deployed during installation. The file invokes PHP's phpinfo() function, which prints a complete dump of the PHP runtime configuration. Because the file resides inside the plugin directory under wp-content/plugins/, it is directly reachable over HTTP without authentication. The web server executes the script and returns the output to any caller.
Attackers can request the endpoint directly using a standard HTTP GET. The response discloses PHP version, loaded extensions, php.ini settings, environment variables, absolute filesystem paths, and HTTP request headers. This information supports reconnaissance for exploit chaining against other plugins, themes, or the underlying operating system.
Root Cause
The root cause is an insecure plugin design decision: a diagnostic script that exposes phpinfo() output was included in the distributed package and placed inside a publicly served directory. No authentication check, capability check, or .htaccess restriction gates access to the file. The vendor removed the file in the version following 5.21.0 based on the WordPress plugin changeset.
Attack Vector
Exploitation requires only network access to the target WordPress site. An unauthenticated attacker issues an HTTP request to the plugin path containing phpinfo.php. No user interaction is needed and the request leaves standard web server access log entries. The disclosed data has no direct integrity or availability impact but reduces attacker cost for subsequent stages. See the Wordfence Vulnerability Report for additional details.
Detection Methods for CVE-2025-9196
Indicators of Compromise
- HTTP GET requests to any URL path ending in /wp-content/plugins/trinity-audio/admin/inc/phpinfo.php
- Successful 200 responses served for the phpinfo.php path with response bodies containing phpinfo() HTML markers such as <title>phpinfo()</title>
- Repeated access to plugin administrative subdirectories from unauthenticated sources
Detection Strategies
- Search web server access logs for requests referencing trinity-audio/admin/inc/phpinfo.php and flag any non-404 responses
- Perform an authenticated file inventory of the plugin directory and alert when phpinfo.php is present
- Deploy web application firewall rules that block requests to phpinfo.php under wp-content/plugins/
Monitoring Recommendations
- Ingest WordPress access logs into a centralized log platform and build queries for plugin-path reconnaissance patterns
- Correlate phpinfo.php access with follow-on requests to wp-login.php, xmlrpc.php, or known exploit endpoints from the same source IP
- Track outbound scanning tools like wpscan and nuclei templates that specifically probe for exposed phpinfo() files
How to Mitigate CVE-2025-9196
Immediate Actions Required
- Update the Trinity Audio plugin to the version released after 5.21.0 that removes phpinfo.php
- If immediate patching is not possible, delete the wp-content/plugins/trinity-audio/admin/inc/phpinfo.php file from every affected site
- Rotate any credentials, API keys, or secrets that may have been visible in PHP environment variables
Patch Information
The vendor removed the phpinfo.php file in the release following 5.21.0. Review the fix in the WordPress plugin changeset and confirm the file is absent after upgrade. Site operators should verify the installed version through the WordPress admin plugins screen.
Workarounds
- Remove or rename the phpinfo.php file inside the plugin directory until an upgrade is applied
- Add a web server rule such as an Apache <Files> or nginx location block that returns 403 for any request to phpinfo.php
- Configure PHP with disable_functions = phpinfo in php.ini to neutralize the disclosure if the file is invoked
# Configuration example
# Apache: block direct access to phpinfo.php inside plugin directories
<FilesMatch "phpinfo\.php$">
Require all denied
</FilesMatch>
# nginx equivalent
location ~* /wp-content/plugins/.*/phpinfo\.php$ {
deny all;
return 403;
}
# PHP hardening
# In php.ini
disable_functions = phpinfo, system, exec, passthru, shell_exec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

