CVE-2026-2144 Overview
The Magic Login Mail or QR Code plugin for WordPress contains a critical privilege escalation vulnerability affecting all versions up to and including 2.05. The vulnerability arises from insecure handling of magic login QR code images, which are stored with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process.
This race condition vulnerability allows unauthenticated attackers to hijack user accounts, including administrator accounts, by exploiting the brief window between QR code file creation and deletion. An attacker can trigger a login link request for any user and then rapidly access the publicly predictable file path to extract the login URL encoded within the QR code.
Critical Impact
Unauthenticated attackers can gain unauthorized access to any WordPress user account, including administrators, by exploiting a race condition in the QR code login functionality. This could lead to complete site compromise.
Affected Products
- Magic Login Mail or QR Code plugin for WordPress versions up to and including 2.05
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-2144 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2144
Vulnerability Analysis
This vulnerability is classified as CWE-269 (Improper Privilege Management) and manifests as a race condition combined with insecure file storage practices. The core issue stems from the plugin's QR code generation workflow, which creates a temporary image file containing sensitive authentication data in a predictable, publicly accessible location.
When a user requests a magic login link, the plugin generates a QR code image containing the authentication URL and saves it to the WordPress uploads directory with a static filename. The file is intended to be temporary—deleted after the wp_mail() function completes sending the email. However, this creates an exploitable time window where the file exists and is accessible to anyone who knows or can guess the file path.
The attack requires network access but no authentication, making it exploitable by any remote attacker. While the attack complexity is considered high due to the race condition timing requirements, successful exploitation results in complete account compromise with full confidentiality, integrity, and availability impact on the targeted account.
Root Cause
The root cause of this vulnerability is twofold:
Predictable Static Filename: The plugin uses a hardcoded filename (QR_Code.png) rather than generating unique, unpredictable filenames for each QR code. This allows attackers to know exactly where to look for the authentication token.
Insecure File Location: The QR code is stored in the publicly accessible WordPress uploads directory (wp-content/uploads/) rather than a protected location outside the web root or in a non-publicly accessible directory.
Insufficient File Lifecycle Management: The time between file creation and deletion (the wp_mail() execution window) creates an exploitable race condition. The file should either never be written to disk or should be protected from public access during its existence.
Attack Vector
The attack follows this general sequence:
- The attacker identifies a WordPress site using the vulnerable Magic Login Mail or QR Code plugin
- The attacker triggers a magic login request for a target user (e.g., administrator)
- While the email is being sent, the attacker rapidly polls the predictable file path (/wp-content/uploads/QR_Code.png)
- If successful, the attacker retrieves the QR code image before it is deleted
- The attacker decodes the QR code to extract the magic login URL
- The attacker uses the extracted URL to authenticate as the target user
The attack can be automated to continuously monitor for QR code file creation, increasing the success rate despite the race condition timing challenges. For additional technical details, refer to the WordPress Plugin Code Reference and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-2144
Indicators of Compromise
- Unusual or repeated HTTP GET requests to /wp-content/uploads/QR_Code.png from external IP addresses
- Multiple magic login requests generated for administrator or privileged user accounts in rapid succession
- Unexpected administrator logins from unfamiliar IP addresses or geographic locations
- Web server access logs showing high-frequency polling of the uploads directory
Detection Strategies
- Implement web application firewall (WAF) rules to detect and alert on rapid, repeated requests to the QR_Code.png file path
- Monitor WordPress authentication logs for login events that occur via magic links, especially for privileged accounts
- Deploy file integrity monitoring on the WordPress uploads directory to detect unusual file creation patterns
- Review access logs for automated scanning behavior targeting predictable file paths
Monitoring Recommendations
- Enable detailed logging for the Magic Login Mail plugin if available, tracking login link generation events
- Configure SIEM alerts for authentication anomalies, particularly magic link logins from new IP addresses
- Implement rate limiting on magic login request endpoints to slow automated exploitation attempts
- Monitor for reconnaissance activity targeting WordPress plugin directories
How to Mitigate CVE-2026-2144
Immediate Actions Required
- Update the Magic Login Mail or QR Code plugin to a patched version immediately (version newer than 2.05)
- If an update is not available, disable the plugin until a patch is released
- Review WordPress user accounts for any unauthorized administrator accounts or suspicious privilege changes
- Audit recent login activity for signs of compromise, especially magic link authentications from unknown sources
Patch Information
Organizations should check for and apply the latest version of the Magic Login Mail or QR Code plugin that addresses this vulnerability. The vendor fix should implement unique, unpredictable filenames for QR code generation and either store files outside the web root or use in-memory QR code generation without writing to disk. Monitor the WordPress Plugin Repository for update availability.
Workarounds
- Disable the QR code login feature if the plugin allows, using email-only magic links as an alternative
- Implement .htaccess rules to deny direct access to QR code images in the uploads directory
- Use a reverse proxy or WAF to block external access to the QR_Code.png file path
- Consider switching to an alternative passwordless authentication plugin that does not store sensitive tokens in publicly accessible locations
# Example .htaccess rule to block access to QR code files
# Place in wp-content/uploads/.htaccess
<Files "QR_Code.png">
Order Allow,Deny
Deny from all
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
