CVE-2026-2144 affects the Magic Login Mail or QR Code plugin for WordPress, versions up to and including 2.05. The vulnerability arises from improper privilege management (CWE-269) related to the handling of the QR code image used for passwordless login. When a login link is requested, the plugin generates a QR code image named QR_Code.png and stores it in the WordPress uploads directory, which is publicly accessible. This filename is static and predictable, allowing attackers to anticipate its location. The file remains accessible until the wp_mail() function completes sending the email, after which the file is deleted. This creates a race condition window where an attacker can request a login link for any user, including administrators, and quickly access the QR code image before deletion. By retrieving the QR code, the attacker obtains the encoded login URL, enabling them to bypass authentication and gain unauthorized access to the targeted user's account. The attack requires no authentication or user interaction, increasing its severity. The vulnerability impacts confidentiality (unauthorized account access), integrity (potential account misuse), and availability (possible account lockout or disruption). Although no public exploits are currently known, the vulnerability's characteristics make it a significant risk for WordPress sites using this plugin. The CVSS 3.1 base score is 8.1, reflecting high severity with network attack vector, high impact on confidentiality, integrity, and availability, and no privileges or user interaction required. No official patches are currently linked, so mitigation relies on configuration and monitoring until updates are released.

The vulnerability allows unauthenticated attackers to escalate privileges by gaining unauthorized access to any user account on affected WordPress sites, including administrators. This compromises the confidentiality of sensitive data, as attackers can view or exfiltrate private information. Integrity is at risk because attackers can modify site content, settings, or user data. Availability may be affected if attackers disrupt services or lock out legitimate users. Organizations relying on this plugin for passwordless authentication face increased risk of account takeover, leading to potential website defacement, data breaches, or further lateral movement within the network. The ease of exploitation and the lack of required authentication or user interaction increase the threat's severity. This could damage organizational reputation, cause regulatory compliance issues, and result in financial losses. The vulnerability is particularly critical for high-profile websites, e-commerce platforms, and sites managing sensitive user data.

1. Immediately restrict public access to the WordPress uploads directory via web server configuration (e.g., .htaccess rules or nginx directives) to prevent unauthorized retrieval of QR_Code.png or similar files. 2. Monitor server logs for repeated or suspicious login link requests, especially targeting administrator accounts, and implement rate limiting or IP blocking to mitigate automated attacks. 3. Disable or temporarily uninstall the Magic Login Mail or QR Code plugin if passwordless login is not essential until a patched version is available. 4. Implement additional multi-factor authentication (MFA) on WordPress accounts to reduce risk if an attacker obtains login URLs. 5. Regularly audit WordPress plugins and update them promptly once a security patch addressing this vulnerability is released. 6. Consider using alternative secure passwordless login solutions that do not expose predictable or publicly accessible authentication artifacts. 7. Educate site administrators about the risk and encourage vigilance for unusual login activity. 8. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to access the QR code image or exploit the race condition.