The Magic Import Document Extractor plugin for WordPress, up to and including version 1.0.4, contains a vulnerability identified as CVE-2025-15508. This vulnerability arises from the get_frontend_settings() function, which inadvertently exposes sensitive information—specifically, the magicimport.ai license key—within the page source code on any page embedding the plugin's shortcode. Because the license key is embedded in the frontend settings, unauthenticated attackers can retrieve it simply by viewing the page source, without requiring any authentication or user interaction. This constitutes an exposure of sensitive information (CWE-200), potentially allowing attackers to misuse the license key for unauthorized access or to facilitate further attacks against the site or the plugin’s licensing system. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level, with an attack vector of network (remote), no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild, the exposure of license keys can lead to license abuse, unauthorized plugin usage, or targeted attacks leveraging the leaked credentials. The vulnerability affects all versions up to 1.0.4, and no official patches have been linked yet, indicating that mitigation steps must be taken by site administrators to prevent exploitation.

The primary impact of this vulnerability is the unauthorized disclosure of the magicimport.ai license key, which could enable attackers to misuse the license, potentially leading to unauthorized access to plugin features or services. While the vulnerability does not directly compromise the confidentiality of user data or site integrity, the leaked license key could be leveraged in chained attacks or to bypass licensing restrictions, resulting in financial loss or service abuse. Organizations relying on this plugin may face risks including unauthorized plugin usage, increased attack surface, and potential reputational damage if the license key is exploited. Since the vulnerability is exploitable remotely without authentication, any WordPress site using the affected plugin version is at risk. The lack of known active exploits reduces immediate threat but does not eliminate the risk of future exploitation. The exposure could also facilitate targeted attacks against high-value sites using this plugin, especially those with sensitive or proprietary content.

Site administrators should immediately review their use of the Magic Import Document Extractor plugin and upgrade to a patched version once available. In the absence of an official patch, administrators can mitigate risk by removing or disabling the plugin shortcode from publicly accessible pages to prevent license key exposure. Additionally, restricting access to pages containing the shortcode via authentication or IP whitelisting can reduce exposure. Monitoring web server logs for unusual access patterns to pages with the shortcode may help detect exploitation attempts. If feasible, regenerating or revoking the exposed license key with magicimport.ai support is recommended to prevent misuse. Implementing Content Security Policy (CSP) headers to limit script execution and inspecting frontend code for sensitive data leaks can help prevent similar issues. Finally, maintaining regular plugin updates and subscribing to vulnerability advisories for this plugin will ensure timely response to future security issues.