EUVD-2026-18993
GHSA-6cvm-3hgq-v87x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.
Analysis
Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations running AI Voices by Mementor plugin and document current versions via admin dashboard or WP-CLI. Within 7 days: Immediately deactivate and remove all instances of the plugin (versions ≤1.9.8); if text-to-speech functionality is critical, evaluate alternative plugins without embedded credentials or contact vendor for security timeline on patched version 1.9.9 or later. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today