What the vulnerability does
01Description
The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.
Explanation of Vulnerability in Simple Terms
02Summary
Text to Speech – TTSWP versions 1.9.8 and earlier contain hardcoded credentials or API keys that can be extracted from the plugin code. An attacker with network access can use these credentials to authenticate to the plugin's backend services without authorization. This allows unauthorized access to text-to-speech functionality and potentially other sensitive operations.
What an attacker can do
03Attacker Capabilities
Extract hardcoded credentials from the plugin and use them to access backend services without authorization.
Potential impact on your site
04Site Impact
Attackers can abuse your site's text-to-speech quota, access backend APIs, or pivot to other services using exposed credentials.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 4, 2026
CVE published
April 8, 2026
Record updated