CVE-2026-1233 HIGH

CVE-2026-1233: Text to Speech (TTS) by Mementor <= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access

Vendor Mvirik
Product Text to Speech – TTSWP
Weakness CWE-798 · Hardcoded credentials
Published April 4, 2026
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.

Explanation of Vulnerability in Simple Terms

02Summary

Text to Speech – TTSWP versions 1.9.8 and earlier contain hardcoded credentials or API keys that can be extracted from the plugin code. An attacker with network access can use these credentials to authenticate to the plugin's backend services without authorization. This allows unauthorized access to text-to-speech functionality and potentially other sensitive operations.

What an attacker can do

03Attacker Capabilities

Extract hardcoded credentials from the plugin and use them to access backend services without authorization.

Potential impact on your site

04Site Impact

Attackers can abuse your site's text-to-speech quota, access backend APIs, or pivot to other services using exposed credentials.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 4, 2026 CVE published
April 8, 2026 Record updated