Privilege Escalation in Magic Login Mail or QR Code Plugin for WordPress
CVE-2026-2144

8.1HIGH

Key Information:

Vendor

WordPress
Status
Magic Login Mail Or Qr Code
Vendor
CVE Published:
14 February 2026

What is CVE-2026-2144?

The Magic Login Mail or QR Code plugin for WordPress presents a vulnerability that allows for privilege escalation due to the improper handling of a magic login QR code image. All versions up to and including 2.05 are affected, as the plugin stores the QR code with a predictable filename in the publicly accessible uploads directory. This creates a race condition between the creation and deletion of the QR code file, allowing unauthorized users to exploit this flaw. By initiating a login link request for any user, an attacker can intercept the QR code and obtain an encoded login URL, potentially granting them access to another user's account, including administrators.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Magic Login Mail or QR Code * <= 2.05

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/magic-login-ma...
https://plugins.trac.wordpress.org/browser/magic-login-ma...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ifoundbug
JSON
.