Description
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated License Status Modification
Action: Patch
AI Analysis

Impact

The Magic Import Document Extractor plugin contains a missing capability check in the ajax_sync_usage() function for all releases up to 1.0.5. Because the function does not verify the user's permissions, any visitor with network access can call that AJAX endpoint and change the stored license status and credit balance. The result is that an attacker can grant themselves premium features or drain credits without authorization, effectively compromising the plugin’s integrity controls.

Affected Systems

Magic Import Document Extractor, versions 1.0.0 through 1.0.5. All installations of those versions running on WordPress sites that expose the plugin’s AJAX endpoint are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of < 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing unauthenticated HTTP requests to the ajax_sync_usage endpoint, requiring no authenticated session or additional privileges.

Generated by OpenCVE AI on April 21, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Magic Import Document Extractor to the latest release (1.0.6 or newer) which includes the missing capability check.
  • If an upgrade is not possible, modify the plugin code to add an authentication check before allowing license status changes, such as current_user_can( 'manage_options' ).
  • When the license management feature is not required, remove or disable the ajax_sync_usage endpoint entirely.

Generated by OpenCVE AI on April 21, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Title Magic Import Document Extractor <= 1.0.4 - Missing Authorization to Unauthenticated Plugin License Status Modification Magic Import Document Extractor <= 1.0.5 - Missing Authorization to Unauthenticated Plugin License Status Modification
References

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Title Magic Import Document Extractor <= 1.0.4 - Missing Authorization to Unauthenticated Plugin License Status Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:26.999Z

Reserved: 2026-01-11T11:18:03.486Z

Link: CVE-2025-15507

cve-icon Vulnrichment

Updated: 2026-02-04T16:48:25.977Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:51.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses