CVE-2026-2144

CVE-2026-2144 is a privilege escalation vulnerability affecting the Magic Login Mail or QR Code plugin for WordPress in all versions up to and including 2.05. The issue stems from the plugin storing a magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. This file is only deleted after the wp_mail() function completes, creating a race condition window that exposes the QR code containing the login URL.

Unauthenticated attackers can exploit this vulnerability by triggering a login link request for any targeted user, including administrators. During the brief window between file creation and deletion, the attacker races to access and download the QR_Code.png file from the uploads directory, decode the QR code to obtain the login URL, and gain unauthorized access to the targeted user's account. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network accessibility without privileges but high attack complexity due to the race condition, with high impacts on confidentiality, integrity, and availability. It is associated with CWE-269 (Improper Privilege Management).

Mitigation details are outlined in advisories such as Wordfence threat intelligence and WordPress plugin trac references, including source code locations in class-magicloginmail.php (lines 250 and 325) and changeset 3460417, which likely addresses the issue through patching. Security practitioners should update the plugin beyond version 2.05 and review upload directory permissions to prevent exploitation.