The Magic Login Mail or QR Code plugin for WordPress, developed by katsushi-kawamori, suffers from a critical privilege escalation vulnerability identified as CVE-2026-2144. This vulnerability arises because the plugin generates a magic login QR code image file named 'QR_Code.png' with a static and predictable filename, storing it in the publicly accessible WordPress uploads directory during the process of sending login emails. The file is deleted only after the wp_mail() function completes, creating a narrow but exploitable race condition window. During this window, an unauthenticated attacker can trigger a login link request for any user, including administrators, and access the QR code image before it is deleted. By obtaining this QR code, the attacker extracts the encoded login URL, effectively bypassing authentication mechanisms and gaining unauthorized access to the victim's account. The vulnerability is classified under CWE-269 (Improper Privilege Management) and affects all versions of the plugin up to and including 2.05. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction, but requiring high attack complexity due to the race condition. Although no known exploits are reported in the wild, the vulnerability presents a significant risk to WordPress sites using this plugin, especially those with privileged users. The lack of a patch or update link indicates that mitigation must currently rely on configuration changes or plugin removal.

For European organizations, this vulnerability poses a substantial risk to websites running WordPress with the Magic Login Mail or QR Code plugin. Successful exploitation allows attackers to bypass authentication and gain administrator-level access, potentially leading to data breaches, website defacement, or use of compromised sites as launchpads for further attacks. Confidentiality of user data and internal communications can be compromised, while integrity and availability of web services may be disrupted. Organizations in sectors such as finance, healthcare, government, and e-commerce, which rely heavily on WordPress for public-facing portals or internal tools, are particularly at risk. The exploitability without authentication and user interaction increases the threat level, especially for sites with high-value targets. Additionally, the predictable filename and public storage of sensitive login artifacts violate best security practices, increasing exposure. The absence of known active exploits provides a window for proactive mitigation, but the high CVSS score underscores urgency.

European organizations should immediately audit their WordPress installations to identify use of the Magic Login Mail or QR Code plugin, particularly versions up to 2.05. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate exposure. If continued use is necessary, implement strict access controls on the WordPress uploads directory to prevent unauthenticated access to temporary files, such as using .htaccess rules or web server configuration to deny access to the QR code image filename or restrict directory listing. Monitoring web server logs for repeated requests to 'QR_Code.png' or unusual login link requests can help detect exploitation attempts. Additionally, organizations should enforce multi-factor authentication (MFA) on WordPress administrator accounts to mitigate unauthorized access even if login URLs are compromised. Regularly update WordPress core and plugins, and subscribe to vendor advisories for patches. Employing web application firewalls (WAF) with custom rules to block suspicious requests targeting the uploads directory can provide an additional layer of defense.