CVE-2025-15507 identifies a missing authorization vulnerability (CWE-862) in the Magic Import Document Extractor plugin for WordPress, specifically in the ajax_sync_usage() function. This function lacks proper capability checks, allowing unauthenticated attackers to invoke it remotely and modify sensitive plugin data such as license status and credit balances. The vulnerability affects all versions up to and including 1.0.4. The absence of authentication and user interaction requirements makes exploitation straightforward over the network. While the vulnerability does not expose confidential information or disrupt service availability, it compromises data integrity by enabling unauthorized changes to licensing and credit information. No patches are currently available, and no active exploits have been reported. The vulnerability was reserved in January 2026 and published in February 2026 with a CVSS 3.1 base score of 5.3, reflecting medium severity. The flaw stems from inadequate access control in the plugin's AJAX handler, a common issue in WordPress plugins that can lead to privilege escalation or data tampering. Organizations using this plugin should monitor for updates and consider interim controls such as restricting access to AJAX endpoints or employing web application firewalls to detect anomalous requests.

The primary impact of this vulnerability is unauthorized modification of plugin data, specifically license status and credit balances, which can lead to license circumvention or financial inconsistencies. Although it does not directly compromise confidentiality or availability, the integrity breach can undermine trust in the plugin's licensing mechanism and potentially cause revenue loss for vendors or users relying on license enforcement. Organizations using the Magic Import Document Extractor plugin may face risks of unauthorized license extension or credit manipulation, which could affect compliance and financial auditing. The ease of exploitation without authentication increases the risk of automated or opportunistic attacks. While no known exploits exist yet, the vulnerability's presence in all versions up to 1.0.4 means a broad attack surface. This could also encourage attackers to develop exploits, especially targeting sites with high-value licenses or credit balances. Overall, the impact is moderate but significant enough to warrant prompt mitigation to prevent abuse and maintain data integrity.

1. Monitor the Magic Import Document Extractor plugin for official security updates or patches addressing CVE-2025-15507 and apply them immediately upon release. 2. Until a patch is available, restrict access to the ajax_sync_usage() AJAX endpoint by implementing web server or application-level access controls, such as IP whitelisting or authentication requirements. 3. Employ a Web Application Firewall (WAF) to detect and block unauthorized or anomalous AJAX requests targeting the vulnerable function. 4. Review and harden WordPress plugin permissions and capabilities to ensure that only authorized users can invoke sensitive plugin functions. 5. Conduct regular audits of plugin license and credit data to detect unauthorized modifications early. 6. Educate site administrators about the risks of installing plugins from unverified sources and encourage minimal plugin usage to reduce attack surface. 7. Consider isolating or sandboxing critical plugins to limit the impact of potential vulnerabilities. 8. Implement logging and monitoring of AJAX calls to identify suspicious activity related to license or credit manipulation attempts.