CVE-2025-15508: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in magicimport Magic Import Document Extractor
The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode.
AI Analysis
Technical Summary
CVE-2025-15508 is a medium severity vulnerability (CVSS 5.3) in the Magic Import Document Extractor WordPress plugin. The issue is an exposure of sensitive information (CWE-200) via the get_frontend_settings() function, which outputs the magicimport.ai license key in the page source for any page containing the plugin's shortcode. This allows unauthenticated remote attackers to retrieve the license key without any privileges or user interaction. The vulnerability affects all versions up to and including 1.0.4. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can obtain the magicimport.ai license key from the page source of any page using the vulnerable plugin shortcode. This exposure could lead to unauthorized use or abuse of the license key, potentially impacting licensing or service usage. There is no indication of direct impact on site integrity, confidentiality of other data, or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider removing or disabling the Magic Import Document Extractor plugin or avoiding use of its shortcode on publicly accessible pages to prevent license key exposure.
CVE-2025-15508: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in magicimport Magic Import Document Extractor
Description
The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-15508 is a medium severity vulnerability (CVSS 5.3) in the Magic Import Document Extractor WordPress plugin. The issue is an exposure of sensitive information (CWE-200) via the get_frontend_settings() function, which outputs the magicimport.ai license key in the page source for any page containing the plugin's shortcode. This allows unauthenticated remote attackers to retrieve the license key without any privileges or user interaction. The vulnerability affects all versions up to and including 1.0.4. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can obtain the magicimport.ai license key from the page source of any page using the vulnerable plugin shortcode. This exposure could lead to unauthorized use or abuse of the license key, potentially impacting licensing or service usage. There is no indication of direct impact on site integrity, confidentiality of other data, or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider removing or disabling the Magic Import Document Extractor plugin or avoiding use of its shortcode on publicly accessible pages to prevent license key exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-11T11:26:23.395Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69830729f9fa50a62f79eb76
Added to database: 2/4/2026, 8:45:29 AM
Last enriched: 4/9/2026, 4:57:21 PM
Last updated: 5/7/2026, 5:11:06 AM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.