{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15508", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-11T11:26:23.395Z", "datePublished": "2026-02-04T08:25:31.431Z", "dateUpdated": "2026-04-08T17:11:49.277Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:49.277Z"}, "affected": [{"vendor": "magicimport", "product": "Magic Import Document Extractor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode."}], "title": "Magic Import Document Extractor <= 1.0.6 - Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "timeline": [{"time": "2025-12-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-03T19:32:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:49:31.604339Z", "id": "CVE-2025-15508", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:49:45.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:49:31.604339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:49:42.670Z"}}], "cna": {"title": "Magic Import Document Extractor <= 1.0.4 - Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "magicimport", "product": "Magic Import Document Extractor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-03T19:32:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379"}], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-04T08:25:31.431Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15508", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:49:45.837Z", "dateReserved": "2026-01-11T11:26:23.395Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:31.431Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode."}, {"lang": "es", "value": "El plugin Magic Import Document Extractor para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n sensible en todas las versiones hasta la 1.0.4, inclusive, a trav\u00e9s de la funci\u00f3n get_frontend_settings(). Esto permite a atacantes no autenticados extraer la clave de licencia magicimport.ai del sitio del c\u00f3digo fuente de la p\u00e1gina en cualquier p\u00e1gina que contenga el shortcode del plugin."}], "id": "CVE-2025-15508", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:51.547", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:05:49.023408+00:00", "value": {"mitigation_remediation": ["Update to a fixed version of Magic Import Document Extractor that removes the public exposure of the license key.", "If an update is unavailable, modify the plugin to conditionally hide the get_frontend_settings() output so that only authenticated administrators can view it.", "Add web\u2011application firewall or content security rules to prevent the license key from appearing in the HTML source of public pages presenting the shortcode."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Magic Import Document Extractor from the vendor magicimport. All released versions up to and including 1.0.4 are vulnerable, as the plugin does not perform any authentication checks when rendering the front\u2011end settings on pages that contain its shortcode.", "description_and_impact": "The vulnerability resides in the get_frontend_settings() function of the Magic Import Document Extractor WordPress plugin, allowing unauthenticated users to view the site's magicimport.ai license key. Exposure of this key can provide attackers with proprietary authentication credentials, potentially enabling further compromise of the host or access to licensed services. The weakness is a classical information disclosure flaw (CWE-200).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is unauthenticated, simply by visiting any publicly accessible page that embeds the plugin\u2019s shortcode and viewing the page source to locate the leaked license key. An attacker can obtain the key without any special privileges or interaction beyond access to the site."}}}}, "created": "2026-02-04T21:18:03.534412+00:00", "updated": "2026-04-21T16:15:40.499396+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}