The Magic Import Document Extractor plugin for WordPress, up to version 1.0.4, contains a vulnerability identified as CVE-2025-15508, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the get_frontend_settings() function, which inadvertently exposes the magicimport.ai license key within the page source code on any page embedding the plugin's shortcode. This exposure occurs without requiring any authentication or user interaction, making it accessible to any remote attacker who can view the page source. The license key is sensitive information that, if leaked, could allow attackers to misuse the license, potentially leading to unauthorized use of the plugin's services or facilitating further attacks against the affected site. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality. The CVSS v3.1 score is 5.3 (medium severity), reflecting the ease of exploitation (network accessible, no privileges required) but limited impact scope (only confidentiality of license key). No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability is relevant to all versions of the plugin up to 1.0.4, which may be installed on WordPress sites worldwide. The exposure is specifically tied to pages containing the plugin's shortcode, meaning that sites using the plugin but not embedding the shortcode on public pages may be less affected.

For European organizations, the exposure of the magicimport.ai license key can lead to unauthorized use or theft of the license, potentially resulting in financial loss or service disruption if the license is revoked or abused. While the vulnerability does not directly compromise site integrity or availability, the leaked license key could be leveraged by attackers to impersonate the organization or gain further footholds if combined with other vulnerabilities. Organizations relying on the Magic Import Document Extractor plugin for document processing or automation may face operational risks if their license is compromised. Additionally, the exposure of sensitive license information could violate data protection policies or contractual obligations, especially under GDPR regulations, if the license key is considered sensitive business information. The risk is heightened for organizations with public-facing WordPress sites that embed the vulnerable shortcode, as the license key is exposed in the page source accessible to any visitor. This could also lead to reputational damage if attackers publicize the vulnerability or misuse the license.

To mitigate this vulnerability, organizations should immediately audit their WordPress sites for the presence of the Magic Import Document Extractor plugin and identify pages containing its shortcode. Until a patch is released, administrators should remove or disable the shortcode on publicly accessible pages to prevent license key exposure. Alternatively, restrict access to pages containing the shortcode using authentication or IP-based access controls. Consider disabling or uninstalling the plugin if it is not critical to operations. Monitor for updates from the vendor or WordPress plugin repository and apply patches promptly once available. Additionally, rotate or revoke the exposed license key with magicimport.ai if possible, to prevent unauthorized use. Implement web application firewalls (WAF) rules to detect and block suspicious requests targeting the plugin's frontend settings endpoint. Finally, conduct regular security reviews of WordPress plugins and limit the use of plugins that expose sensitive configuration data in frontend code.