CVE-2025-15507
📋 TL;DR
The Magic Import Document Extractor WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to modify the plugin's license status and credit balance. This affects all WordPress sites using version 1.0.4 or earlier of the plugin. Attackers can exploit this without any credentials or special access.
💻 Affected Systems
- Magic Import Document Extractor WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable license validation, potentially enabling unauthorized use of premium features or disrupting plugin functionality.
Likely Case
Attackers will modify license status to bypass payment requirements or manipulate credit balances for free usage.
If Mitigated
With proper network segmentation and WAF rules, exploitation attempts would be blocked before reaching the vulnerable endpoint.
🎯 Exploit Status
Simple HTTP POST request to the vulnerable ajax_sync_usage() function can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Magic Import Document Extractor. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.0.5+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate magic-import-document-extractor
WAF Rule Block
allBlock requests to the vulnerable ajax_sync_usage() endpoint.
Add WAF rule to block POST requests containing 'action=magic_import_document_extractor_sync_usage'
🧯 If You Can't Patch
- Remove the plugin entirely from production systems.
- Implement network-level blocking of the vulnerable endpoint using firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Magic Import Document Extractor → Version. If version is 1.0.4 or lower, you are vulnerable.Check Version:
wp plugin get magic-import-document-extractor --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.0.5 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'action=magic_import_document_extractor_sync_usage' parameter from unauthenticated IPs
- Unusual modifications to plugin settings or license status
Network Indicators:
- POST requests to admin-ajax.php with the vulnerable action parameter without authentication cookies
SIEM Query:
source="web_server" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="magic_import_document_extractor_sync_usage" AND NOT cookie CONTAINS "wordpress_logged_in"