Platform
wordpress
Component
magic-login-mail
Fixed in
2.06
CVE-2026-2144 describes a Privilege Escalation vulnerability affecting the Magic Login Mail or QR Code plugin for WordPress. This flaw allows unauthenticated attackers to potentially escalate privileges and gain unauthorized access. The vulnerability impacts versions 0.0.0 through 2.05, and a fix is available in version 2.06.
The core of this vulnerability lies in the plugin's handling of QR code images used for login links. During the email sending process, the plugin stores these images with a predictable filename, 'QR_Code.png', in the WordPress uploads directory. Crucially, this file isn't immediately deleted after the email is sent, creating a race condition. An attacker can exploit this window to trigger a login link request for any WordPress user, including administrators. By manipulating the request or intercepting the email, they could potentially gain unauthorized access to the targeted account, effectively escalating their privileges within the WordPress environment. This could lead to data breaches, website defacement, or complete control of the WordPress installation.
CVE-2026-2144 was publicly disclosed on 2026-02-14. There is currently no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact if exploited. No KEV listing is present as of this writing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it is relatively straightforward to exploit.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2144 is to immediately upgrade the Magic Login Mail or QR Code plugin to version 2.06 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the WordPress uploads directory to prevent unauthorized file access. While not a complete solution, implementing a Web Application Firewall (WAF) rule to block requests for the 'QR_Code.png' file could offer a temporary layer of protection. Monitor WordPress logs for unusual activity, particularly requests related to login links or file access within the uploads directory.
Update to version 2.06, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2144 is a HIGH severity vulnerability in the Magic Login Mail or QR Code WordPress plugin allowing attackers to potentially escalate privileges through a race condition related to QR code image handling.
If you are using the Magic Login Mail or QR Code plugin in WordPress versions 0.0.0 through 2.05, you are potentially affected by this vulnerability.
Upgrade the Magic Login Mail or QR Code plugin to version 2.06 or later to address the vulnerability. Consider temporary mitigation steps like restricting uploads directory access if immediate upgrade is not possible.
As of now, there is no confirmed evidence of active exploitation campaigns targeting CVE-2026-2144, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes regarding CVE-2026-2144.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.