{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15507", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-11T11:18:03.486Z", "datePublished": "2026-02-04T08:25:30.675Z", "dateUpdated": "2026-04-08T16:58:26.999Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:26.999Z"}, "affected": [{"vendor": "magicimport", "product": "Magic Import Document Extractor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance."}], "title": "Magic Import Document Extractor <= 1.0.5 - Missing Authorization to Unauthenticated Plugin License Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452549/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "timeline": [{"time": "2025-12-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-03T19:31:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:48:21.423064Z", "id": "CVE-2025-15507", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:48:28.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:48:21.423064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:48:25.977Z"}}], "cna": {"title": "Magic Import Document Extractor <= 1.0.5 - Missing Authorization to Unauthenticated Plugin License Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "magicimport", "product": "Magic Import Document Extractor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-03T19:31:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452549/"}], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:26.999Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15507", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:26.999Z", "dateReserved": "2026-01-11T11:18:03.486Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:30.675Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance."}, {"lang": "es", "value": "El plugin Magic Import Document Extractor para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n ajax_sync_usage() en todas las versiones hasta la 1.0.4, inclusive. Esto hace posible que atacantes no autenticados modifiquen el estado de licencia y el saldo de cr\u00e9ditos del plugin."}], "id": "CVE-2025-15507", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:51.377", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3452549/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:06:24.440904+00:00", "value": {"mitigation_remediation": ["Upgrade Magic Import Document Extractor to the latest release (1.0.6 or newer) which includes the missing capability check.", "If an upgrade is not possible, modify the plugin code to add an authentication check before allowing license status changes, such as current_user_can( 'manage_options' ).", "When the license management feature is not required, remove or disable the ajax_sync_usage endpoint entirely."], "summary": {"action": "Patch", "impact": "Unauthenticated License Status Modification"}, "threat_synthesis": {"affected_systems": "Magic Import Document Extractor, versions 1.0.0 through 1.0.5. All installations of those versions running on WordPress sites that expose the plugin\u2019s AJAX endpoint are vulnerable.", "description_and_impact": "The Magic Import Document Extractor plugin contains a missing capability check in the ajax_sync_usage() function for all releases up to 1.0.5. Because the function does not verify the user's permissions, any visitor with network access can call that AJAX endpoint and change the stored license status and credit balance. The result is that an attacker can grant themselves premium features or drain credits without authorization, effectively compromising the plugin\u2019s integrity controls.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, while the EPSS score of < 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing unauthenticated HTTP requests to the ajax_sync_usage endpoint, requiring no authenticated session or additional privileges."}}}}, "created": "2026-02-04T21:18:27.934328+00:00", "updated": "2026-04-21T16:15:40.499933+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}