CVE-2026-2144
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.
Analysis
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify if the Magic Login Mail or QR Code plugin is installed and active; immediately disable the plugin if found. Within 7 days: Evaluate alternative authentication methods (such as native WordPress two-factor authentication or replacement plugins with security audits), test in staging environment, and implement replacement solution. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today