CVE-2025-15508 Overview
The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This vulnerability allows unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode.
Critical Impact
Unauthenticated attackers can extract sensitive API license keys from exposed WordPress page sources, potentially enabling unauthorized access to magicimport.ai services or further attacks leveraging the compromised credentials.
Affected Products
- Magic Import Document Extractor plugin for WordPress versions up to and including 1.0.4
- WordPress sites with the plugin's shortcode embedded on public-facing pages
- Sites utilizing magicimport.ai license keys through this plugin
Discovery Timeline
- 2026-02-04 - CVE-2025-15508 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-15508
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists within the get_frontend_settings() function located in the plugin's public class file. When the plugin's shortcode is rendered on a WordPress page, the function improperly exposes the magicimport.ai license key directly in the page source code, making it accessible to any visitor—including unauthenticated attackers.
The exposure occurs because the plugin fails to properly sanitize or restrict sensitive configuration data when generating frontend output. This design flaw means that any page utilizing the plugin's shortcode becomes a potential vector for credential harvesting.
Root Cause
The root cause of this vulnerability is improper handling of sensitive credentials in frontend-accessible code paths. The get_frontend_settings() function in /public/class-public.php (line 379) outputs the license key configuration to the client-side without implementing proper access controls or obfuscation. This represents a fundamental violation of secure coding practices where sensitive credentials should never be exposed to the client side.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can simply:
- Identify WordPress sites using the Magic Import Document Extractor plugin
- Navigate to any page containing the plugin's shortcode
- View the page source code to extract the exposed license key
- Use the harvested license key for unauthorized access to magicimport.ai services or as reconnaissance for further attacks
The vulnerability is accessible via viewing the HTML source of any affected page, making it trivially exploitable through a standard web browser. For more technical details, refer to the WordPress Plugin Code Review.
Detection Methods for CVE-2025-15508
Indicators of Compromise
- Unexpected or unauthorized API calls to magicimport.ai services using your license key
- License key usage reports showing activity from unknown IP addresses or geographic locations
- Increased API quota consumption beyond normal operational patterns
- Evidence of automated scraping targeting pages with the plugin's shortcode
Detection Strategies
- Review web server access logs for unusual patterns of requests to pages containing the plugin's shortcode
- Monitor magicimport.ai account activity for unauthorized usage or suspicious API calls
- Implement web application firewall (WAF) rules to detect automated source code scraping attempts
- Conduct regular code audits of plugin output to identify exposed sensitive information
Monitoring Recommendations
- Enable logging and alerting for API key usage through magicimport.ai dashboard
- Configure SIEM rules to detect mass page source requests from single IP addresses
- Implement Content Security Policy headers to help identify potential data exfiltration attempts
- Review WordPress plugin inventory and ensure all plugins are updated to secure versions
How to Mitigate CVE-2025-15508
Immediate Actions Required
- Update the Magic Import Document Extractor plugin to a version newer than 1.0.4 if a patched version is available
- If no patch is available, disable or remove the plugin until a fix is released
- Regenerate and rotate the magicimport.ai license key immediately if the vulnerable version was deployed
- Review magicimport.ai account activity logs for signs of unauthorized access
Patch Information
Organizations should monitor the Wordfence Vulnerability Report for updates on patched versions. Until an official patch is released, the plugin should be deactivated on production sites. The vulnerable code is located in the get_frontend_settings() function at line 379 of /public/class-public.php.
Workarounds
- Deactivate the Magic Import Document Extractor plugin until a security update is available
- If the plugin is essential, restrict access to pages containing the shortcode using server-side authentication
- Implement a Web Application Firewall (WAF) rule to block access to affected page sources for unauthenticated users
- Consider using a caching plugin configured to exclude sensitive shortcode output from cached pages
# WordPress CLI: Deactivate the vulnerable plugin
wp plugin deactivate magic-import-document-extractor
# Verify plugin status
wp plugin status magic-import-document-extractor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
