| Plugin Name | WordPress Magic Login Mail or QR Code Plugin |
|---|---|
| Type of Vulnerability | Privilege escalation |
| CVE Number | CVE-2026-2144 |
| Urgency | High |
| CVE Publish Date | 2026-02-15 |
| Source URL | CVE-2026-2144 |
Privilege Escalation in Magic Login Mail / QR Code Plugin (≤ 2.05): Risks, Impact, and How US-Based WordPress Operators Should Respond
Published: 15 Feb, 2026
CVE: CVE-2026-2144 — Severity: High (CVSS 8.1)
Author: Managed-WP Security Team
Executive Summary
- A critical privilege escalation vulnerability has been disclosed affecting versions up to 2.05 of the WordPress plugin Magic Login Mail or QR Code.
- The vulnerability allows unauthenticated attackers to escalate privileges by exploiting insecure QR code file storage mechanisms.
- Attackers can gain unauthorized access by extracting and reusing one-time login tokens stored as accessible files, enabling full site compromise.
- No official patch is available at the time of disclosure; immediate mitigations and long-term best practices are crucial.
As a leading security provider specializing in WordPress, Managed-WP recommends all site owners, developers, and hosting providers carefully review this advisory and take immediate action. These vulnerabilities pose significant risk to business continuity, data privacy, and user trust.
Table of Contents
- Understanding the Vulnerability
- Why the Risk is Elevated
- Attack Methodology in Brief
- Indicators of Compromise and Detection
- Immediate Remediations
- Hardening Measures for Operators & Hosting Providers
- Secure Plugin Development Practices
- Example Server Configurations to Mitigate Access
- How Managed-WP’s Security Services Provide Protection
- Responsible Disclosure & Industry Best Practices
- Prioritized Recovery Checklist
- Concluding Notes & Next Steps
Understanding the Vulnerability
The Magic Login Mail or QR Code plugin facilitates passwordless login by generating QR codes or login links that users scan or click to access WordPress sites. These QR codes are stored as files representing one-time login tokens.
The vulnerability arises from storing these tokens in publicly accessible directories with predictable URLs and no enforced expiration or access control mechanisms. This insecure file storage allows attackers who discover or guess these URLs to hijack login sessions and escalate privileges.
In essence, the authentication system relies on the secrecy of a file accessible via the web—a classic security design flaw. Attackers who locate these files can impersonate the corresponding user, including administrators, which could lead to full site takeover.
Why the Risk is Elevated
- Unauthenticated Attack Vector: No login or prior access is required to exploit.
- Privilege Escalation: Attack moves from public internet access to elevated roles without needing credentials.
- Low Barrier for Attackers: Tokens stored in public uploads folders with predictable naming make mass scanning feasible.
- No Immediate Patch: Site operators must take manual countermeasures until official fixes become available.
- Severe Impact: Potential full compromise of WordPress installations, risking data loss, defacement, and unauthorized control.
This vulnerability’s CVSS score of 8.1 confirms its critical and urgent nature. The US WordPress community should prioritize rapid response.
Attack Methodology in Brief
- Reconnaissance: Identifying WordPress sites using the vulnerable plugin via public information or automated scanning.
- Artifact Enumeration: Searching path directories like
/wp-content/uploads/magic-login/to locate QR code files. - Token Extraction: Reading the QR code or file content containing the magic login link token.
- Privilege Escalation: Using extracted tokens, attackers log in as targeted users, including administrators.
- Post-Compromise Actions: Deploy backdoors, add new admin users, extract sensitive data, or pivot laterally.
Automated scripts enable rapid exploitation across multiple sites, giving this vulnerability worm-like potential if unmitigated.
Indicators of Compromise and Detection
Operators should scan for these signs immediately:
- Presence of QR and Magic Login Artifacts: Check for files under
/wp-content/uploads/magic-login/,/wp-content/uploads/magic_login/, or similarly named directories with extensions like .png, .jpg, .svg. - Suspicious HTTP GET Requests: Look for repeated or sequential access patterns in server logs targeting these directories.
- Unusual Authentication Logs: Unexpected login times, one-time link usage, or login from unknown IP addresses.
- User and Role Changes: Unexpected creation of admin accounts or modifications to existing user privileges or emails.
- Unexpected Files or Code: Discovery of new PHP files, obfuscated code (e.g., base64) or scheduled jobs like cron tasks.
- External Connections: Outbound traffic to unknown IPs or domains that might suggest command and control activity.
Detection of any such indicators should trigger immediate incident response protocols.
Immediate Remediations
Without an official patch, take these prioritized, safe actions to reduce exposure:
- Disable the Plugin: Deactivate Magic Login Mail or QR Code on all production sites to prevent new artifacts from creating.
- Block Access to QR Artifact Directories: Use server-level rules to deny web access to directories holding QR code files.
- Remove or Relocate Token Files: Delete or move QR-related files from public uploads folders to a secure location.
- Force Password Resets and Rotate Auth Keys: Require all admins to reset passwords and rotate WordPress salts in
wp-config.phpfor session invalidation. - Audit User Accounts and Logs: Remove suspicious users and review login histories for anomalous activity.
- Review File Permissions: Enforce principle of least privilege on uploads and plugins directories; avoid world-writable permissions.
- Conduct Malware Scans and Backups: Scan for backdoors, restore clean backups if necessary, and take forensic snapshots.
- Isolate if Compromised: Immediately isolate affected sites until cleaned and secured.
- Enhance Logging and Monitoring: Enable detailed logs and watch for scanning patterns targeting uploads.
Note: Deleting files alone does not clear the risk if an attacker has already used tokens to access the site.
Hardening Measures for Site Owners and Hosting Providers
Site owners:
- Apply least privilege principles; limit administrator accounts.
- Disable or restrict plugins that store auth tokens publicly.
- Implement WAF rules to block scanning and token enumeration.
- Use multi-factor authentication (MFA) on privileged accounts.
- Keep WordPress core, plugins, and PHP up to date; remove unused plugins/themes.
- Maintain tested offline backups regularly.
Hosting providers:
- Enforce host-level access restrictions for sensitive artifacts.
- Offer secure, private storage options outside web root.
- Provide role-based access control and activity monitoring for clients.
Secure Plugin Development Practices
Developers of authentication or “magic login” plugins must adhere to security best practices to avoid repeating this flaw:
- No Public Exposure of Tokens: Avoid embedding tokens in filenames or storing them in public directories.
- Secure Server-Side Storage: Store tokens in databases with strong hashing, expiration, and usage limits.
- Strict Token Lifecycle: Short expiry windows, single-use tokens, and rate-limiting validation attempts.
- Capability Verification: Require authorization checks before elevating privileges or changing roles.
- Non-Enumerable, Secure Storage: Store files outside web root or serve dynamically via authorized endpoints.
- Comprehensive Logging and Alerting: Log token issuing and usage; alert on suspicious patterns.
- Robust Input Validation: Sanitize all inputs to prevent path traversal or injection.
- Secure Defaults: Opt for minimal exposure and require explicit admin consent to enable risky features.
Plugin developers are urged to audit existing codebases immediately.
Example Server Configurations to Restrict Access
If immediate plugin deactivation is not feasible, block HTTP access to directories with token files.
Apache (.htaccess)
# Deny all HTTP access in the QR files directory
Require all denied
# Allow local requests only (optional)
# Require local
Alternatively, prevent direct access to common image files in parent directory:
<FilesMatch "\.(png|jpg|jpeg|svg)$">
Require all denied
</FilesMatch>
Nginx
location ~* /wp-content/uploads/magic-login-qr/ {
deny all;
return 404;
}
Important: blocking access will disable magic login features; coordinate with stakeholders.
How Managed-WP’s Security Platform Supports Your Defense
Managed-WP’s managed Web Application Firewall (WAF) and security platform provide layered defenses during remediation:
- Custom virtual patching to block exploitation patterns and enumeration attempts.
- Adaptive rate limiting and bot mitigation to prevent mass scanning.
- Real-time incident alerts and event monitoring for suspicious token activity.
- Centralized protection for clients managing multiple WordPress sites.
- Expert onboarding and hands-on remediation guidance from US-based security professionals.
While WAFs add an important protective layer, they complement but do not replace applying secure code fixes and site hardening.
Responsible Disclosure and Industry Collaboration
Responsible vulnerability disclosure supports a safer ecosystem. Managed-WP endorses privately reporting issues to plugin authors, allowing adequate time for patch development before public advisories.
This high-severity advisory is published publicly given the immediate danger posed to WordPress sites across the US and globally. Site operators should prioritize mitigation.
Priority Recovery Checklist — Act Now
- Deactivate Magic Login Mail/QR Code plugin on all production environments.
- Block web access to QR code upload directories using server rules.
- Remove or move all QR code and magic login artifact files from public directories.
- Enforce password resets for privileged users; rotate authentication keys/salts.
- Review user accounts and logs for unauthorized access or accounts; rectify accordingly.
- Run thorough malware scans; isolate compromised sites; restore from clean backups if needed.
- Deploy WAF rules tailored to block related attack vectors.
- Continuously monitor and repeat scans after remediation actions.
Concluding Remarks and Next Steps
This vulnerability highlights the critical importance of secure token management and robust privilege checks in WordPress plugins. Convenience features, like passwordless login, must be implemented with strong security controls to prevent catastrophic breaches.
WordPress site operators are strongly urged to incorporate immediate mitigations and leverage managed services like Managed-WP to safeguard infrastructure. Developers should review and enhance plugin security designs without delay.
Managed-WP is actively monitoring this situation and prepared to assist customers with assessments, mitigations, and recovery.
Stay vigilant and prioritize privileged account protection — your site’s security and your business reputation depend on it.
— Managed-WP Security Team
Appendix: Useful Commands for Defensive Reconnaissance
Search for QR code files in uploads:
find /path/to/wordpress/wp-content/uploads -type f \( -iname "*magic*.png" -o -iname "*qr*.png" -o -iname "*magic*.jpg" -o -iname "*qr*.svg" \)
Analyze webserver logs for suspicious requests:
grep -E "/wp-content/uploads/.{0,50}(magic|qr|login)" /var/log/nginx/access.log | awk '{print $1,$4,$7,$9}' | sort | uniq -c | sort -nr | head
List admin users via WP-CLI:
wp user list --role=administrator --fields=ID,user_login,user_email,display_name,user_registered
Generate new salts to rotate authentication keys: https://api.wordpress.org/secret-key/1.1/salt/
If your organization manages multiple WordPress sites and requires assistance executing these steps, implementing temporary access controls, or securing your infrastructure, contact Managed-WP for expert, US-based managed security services and rapid incident response support.
Take Proactive Action — Secure Your Site with Managed-WP
Don’t risk your business or reputation due to overlooked plugin flaws or weak permissions. Managed-WP provides robust Web Application Firewall (WAF) protection, tailored vulnerability response, and hands-on remediation for WordPress security that goes far beyond standard hosting services.
Exclusive Offer for Blog Readers: Access our MWPv1r1 protection plan—industry-grade security starting from just USD20/month.
- Automated virtual patching and advanced role-based traffic filtering
- Personalized onboarding and step-by-step site security checklist
- Real-time monitoring, incident alerts, and priority remediation support
- Actionable best-practice guides for secrets management and role hardening
Get Started Easily — Secure Your Site for USD20/month:
Protect My Site with Managed-WP MWPv1r1 Plan
Why trust Managed-WP?
- Immediate coverage against newly discovered plugin and theme vulnerabilities
- Custom WAF rules and instant virtual patching for high-risk scenarios
- Concierge onboarding, expert remediation, and best-practice advice whenever you need it
Don’t wait for the next security breach. Safeguard your WordPress site and reputation with Managed-WP—the choice for businesses serious about security.
Click above to start your protection today (MWPv1r1 plan, USD20/month).
