CVE-2026-2144

The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L250
https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L325
https://www.wordfence.com/threat-intel/vulnerabilities/id/65066a17-653b-4444-9bd0-894ea8c1acb1?source=cve

Configurations

No configuration.

History

14 Feb 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-14 05:16

Updated : 2026-02-18 17:52

NVD link : CVE-2026-2144

Mitre link : CVE-2026-2144

CVE.ORG link : CVE-2026-2144

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

8.1 /10