Exploitation Research Plan - CVE-2025-15508

1. Vulnerability Summary

The Magic Import Document Extractor plugin (<= 1.0.6) is vulnerable to Unauthenticated Sensitive Information Exposure. The vulnerability exists because the function get_frontend_settings() (likely located in an initialization or frontend-facing class) includes the site's magicimport.ai license key in its return array. This array is subsequently passed to wp_localize_script(), which embeds the data as a global JavaScript object in the HTML source of any page where the plugin's shortcode is present. Since shortcode pages are often public, unauthenticated attackers can view the page source and extract the license key.

2. Attack Vector Analysis

• Endpoint: Any public WordPress Post or Page containing the plugin's shortcode.
• Payload: No specific payload is sent; the "exploit" involves a simple GET request to a page containing the shortcode.
• Authentication: None (Unauthenticated).
• Preconditions:
  1. The plugin must have a license key configured.
  2. A page or post must exist that contains the plugin's shortcode (to trigger script enqueuing and localization).

3. Code Flow (Inferred)

1. Shortcode Registration: The plugin registers a shortcode (likely via add_shortcode in the main plugin file or a dedicated Shortcode class).
2. Frontend Loading: When a page with the shortcode is requested, the shortcode callback or an associated wp_enqueue_scripts hook is executed.
3. Data Preparation: The code calls a function, specifically get_frontend_settings(), to retrieve configuration for the frontend JS.
4. Information Leak: get_frontend_settings() fetches the license key from the WordPress options table (e.g., get_option('magic_import_license_key')) and includes it in the returned array.
5. Localization: The plugin calls wp_localize_script( 'script-handle', 'JS_OBJECT_NAME', get_frontend_settings() ).
6. Output: WordPress renders the script block in the HTML <head> or footer, exposing the JS_OBJECT_NAME.license_key (or similar key name) to the public.

4. Nonce Acquisition Strategy

This vulnerability does not require a nonce. The license key is leaked via a standard GET request to a public page. Nonce checks are typically used to protect state-changing operations (AJAX/REST actions), but this is a passive information exposure.

5. Exploitation Strategy

The goal is to identify the shortcode, create a page with it, and extract the license key.

Step 1: Identify Shortcode and JS Object Name

Since source files are not provided, we must find the identifiers in the environment:

1. Search for shortcode registration: grep -r "add_shortcode" wp-content/plugins/magic-import-document-extractor/
2. Search for the vulnerable function: grep -r "get_frontend_settings" wp-content/plugins/magic-import-document-extractor/
3. Identify the JS variable name: Look for the wp_localize_script call associated with that function.

Step 2: Test Data Setup

1. Configure License: Set a dummy license key in the database.

   wp option update magic_import_license_key "CVE-2025-15508-SECRET-KEY"
   

   (Note: The exact option name should be verified via wp option list | grep magic).
2. Create Trigger Page: Create a public page with the identified shortcode (assumed to be [magic-import-extractor] based on slug).

   wp post create --post_type=page --post_title="Magic Import Test" --post_status=publish --post_content='[magic-import-extractor]'
   

Step 3: Execution

1. Navigate to the page: Use browser_navigate to visit the newly created page.
2. Extract Data: Use browser_eval to find the license key in the global scope, OR use http_request to fetch the HTML and grep for it.

Target JS Object Guess (based on common patterns):

• window.magicImportSettings?.license_key
• window.magicImportData?.apiKey

6. Test Data Setup

• Plugin Status: Must be active.
• Option Value: wp option update magic_import_license_key "POCO-TEST-KEY-999" (Verify key name in code).
• Target Page: A page at URL /magic-test/ containing the plugin's primary shortcode.

7. Expected Results

• HTTP Response: 200 OK.
• Exposed Data: The HTML source contains a script block similar to:

  <script id="magic-import-frontend-js-extra">
  var magicImportSettings = {"api_url":"...","license_key":"POCO-TEST-KEY-999", ...};
  </script>
  

• The license_key value matches the value injected into the database.

8. Verification Steps

1. Manual Verification:

   # Fetch the page and grep for the known secret key
   curl -s http://localhost:8080/magic-test/ | grep "POCO-TEST-KEY-999"
   

2. Plugin Code Audit: Confirm get_frontend_settings() includes the sensitive field without checking for is_admin() or administrative capabilities.

9. Alternative Approaches

If the shortcode does not trigger the leak:

1. Check Admin Pages: Sometimes get_frontend_settings is called on all admin pages. If an unauthenticated user can access a specific admin-ajax or admin-post hook that triggers this, it may leak there, though the description specifically points to the page source of shortcode pages.
2. Search for REST/AJAX: Look for register_rest_route or wp_ajax_nopriv_ calls that might also use get_frontend_settings() to return configuration data to the frontend.
3. Check Versioning: Ensure the test environment is running version <= 1.0.4 or 1.0.6 as specified in the report.