cleantalk
Vulnerabilities and Security Researches

Magic Login Mail, CVE-2026-2144

CVE, Research URL

CVE-2026-2144

Home page URL

Security reports for Magic Login Mail

Application

Magic Login Mail

Published on
Feb 14, 2026
Research Description
The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.
Affected versions
max 2.06.
Status
vulnerable
Previous vulnerability researches
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2025-13750) , Jan 28, 2026
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2019-15834) , Jun 06, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2021-25074) , Jun 10, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2026-1356) , Apr 14, 2026
New vulnerability
WP App Bar (CVE-2026-1074) , Apr 16, 2026
EM Cost Calculator (CVE-2026-2506) , Apr 16, 2026
GetGenie – Ai Content Writer with Keyword Research and Competitor Analysis (CVE-2026-1003) , Apr 16, 2026
AI ChatBot with ChatGPT and Content Generator by AYS (CVE-2026-1336) , Apr 16, 2026
Sphere Manager (CVE-2026-1905) , Apr 16, 2026