Scan free
HIGHCVE-2026-2144CVSS 8.1

CVE-2026-2144: Privilege Escalation in Magic Login Mail/QR Code

Platform

wordpress

Component

magic-login-mail

Fixed in

2.06

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-2144 describes a Privilege Escalation vulnerability affecting the Magic Login Mail or QR Code plugin for WordPress. This flaw allows unauthenticated attackers to potentially escalate privileges and gain unauthorized access. The vulnerability impacts versions 0.0.0 through 2.05, and a fix is available in version 2.06.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The core of this vulnerability lies in the plugin's handling of QR code images used for login links. During the email sending process, the plugin stores these images with a predictable filename, 'QR_Code.png', in the WordPress uploads directory. Crucially, this file isn't immediately deleted after the email is sent, creating a race condition. An attacker can exploit this window to trigger a login link request for any WordPress user, including administrators. By manipulating the request or intercepting the email, they could potentially gain unauthorized access to the targeted account, effectively escalating their privileges within the WordPress environment. This could lead to data breaches, website defacement, or complete control of the WordPress installation.

Exploitation Context

CVE-2026-2144 was publicly disclosed on 2026-02-14. There is currently no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact if exploited. No KEV listing is present as of this writing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it is relatively straightforward to exploit.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.10% (27% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentmagic-login-mail
Vendorwordfence
Affected rangeFixed in
0.0.0 – 2.052.06

Package Information

Active installs
100
Plugin rating
5.0
Requires WordPress
4.7+
Compatible up to
7.0
Requires PHP
8.0+
Homepage

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-2144 is to immediately upgrade the Magic Login Mail or QR Code plugin to version 2.06 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the WordPress uploads directory to prevent unauthorized file access. While not a complete solution, implementing a Web Application Firewall (WAF) rule to block requests for the 'QR_Code.png' file could offer a temporary layer of protection. Monitor WordPress logs for unusual activity, particularly requests related to login links or file access within the uploads directory.

How to fix

Update to version 2.06, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2144 — Privilege Escalation in Magic Login Mail or QR Code?

CVE-2026-2144 is a HIGH severity vulnerability in the Magic Login Mail or QR Code WordPress plugin allowing attackers to potentially escalate privileges through a race condition related to QR code image handling.

Am I affected by CVE-2026-2144 in Magic Login Mail or QR Code?

If you are using the Magic Login Mail or QR Code plugin in WordPress versions 0.0.0 through 2.05, you are potentially affected by this vulnerability.

How do I fix CVE-2026-2144 in Magic Login Mail or QR Code?

Upgrade the Magic Login Mail or QR Code plugin to version 2.06 or later to address the vulnerability. Consider temporary mitigation steps like restricting uploads directory access if immediate upgrade is not possible.

Is CVE-2026-2144 being actively exploited?

As of now, there is no confirmed evidence of active exploitation campaigns targeting CVE-2026-2144, but the vulnerability's nature makes it a potential target.

Where can I find the official Magic Login Mail or QR Code advisory for CVE-2026-2144?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes regarding CVE-2026-2144.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs