Attack Vectors

Severity: High (CVSS 8.1). CVE-2026-2144 affects the WordPress plugin Magic Login Mail or QR Code (slug: magic-login-mail) in versions up to and including 2.05.

The core exposure comes from how the plugin handles “magic login” requests: an unauthenticated attacker can trigger a login link request for a target user (including administrators). During the email-sending process, the plugin temporarily stores a QR code image in a location that is publicly reachable on many WordPress sites (the uploads directory). The attacker then attempts to access that QR code file while it exists.

This is described as a “race condition” window: the QR image is only deleted after the email send routine finishes, which can create a brief but exploitable opportunity for an external party to retrieve the QR code and use it to gain access.

Security Weakness

CVE-2026-2144 is a Privilege Escalation issue caused by insecure QR code file storage in Magic Login Mail or QR Code (<= 2.05). Specifically, the plugin uses a predictable, static filename (QR_Code.png) in the publicly accessible uploads directory while generating and sending the email.

Because the file can be accessed over the web while it exists—and because it is deleted only after wp_mail() completes—an attacker can potentially retrieve the QR code image during that interval. The predictable filename and location reduce the guesswork needed to target the file.

Remediation note: The source indicates no known patch is available at this time. Organizations should assess their risk tolerance and implement mitigations accordingly, which may include removing the plugin and selecting an alternative.

Technical or Business Impacts

For executives, compliance teams, and marketing leadership, the key risk is straightforward: if an attacker can obtain a magic-login QR code for an administrator or privileged user, they may be able to access the WordPress dashboard without valid credentials. This can quickly become a full-site incident.

Potential business impacts include website defacement, unauthorized changes to landing pages, redirects that harm brand trust, and manipulation of tracking scripts that affects analytics integrity and marketing attribution. If customer data, leads, or email lists are accessible through the site, the incident can expand into data exposure and regulatory reporting considerations.

Operationally, a successful attack can trigger costly downtime, emergency remediation work, and reputational damage—especially if the site is a primary customer acquisition channel. Given the High severity and the absence of a known patch, leaders should treat continued use of affected versions (<= 2.05) of Magic Login Mail or QR Code as a material risk decision.

Similar Attacks

While the specific mechanism in CVE-2026-2144 involves a temporary QR code file and a race window, the broader pattern—WordPress plugin weaknesses leading to unauthorized access or privilege escalation—has been seen in other high-impact incidents, such as:

CVE-2020-25213 (File Manager plugin) — widely reported due to its impact and exploitation risk in WordPress environments.

CVE-2021-29447 (WordPress core) — a WordPress vulnerability that drew broad attention because it affected many sites and highlighted the operational risk of delayed updates.

CVE-2021-24340 (Contact Form 7 add-on) — an example of how plugin ecosystem flaws can translate into real business risk when exploited at scale.