CVE-2026-2144 - Vulnerability Analysis

Overview

Magic Login Mail or QR Code WordPress plugin <= 2.05 contains a privilege escalation caused by predictable QR code filename and race condition in uploads directory, letting unauthenticated attackers gain unauthorized user access, exploit requires triggering login link request.

Severity & Score

Impact

Unauthenticated attackers can gain unauthorized access to any user account, including administrators, via race condition exploitation.

Mitigation

Update to a version later than 2.05 or the latest available version.

References

• https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L250
• https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L325
• https://www.wordfence.com/threat-intel/vulnerabilities/id/65066a17-653b-4444-9bd0-894ea8c1acb1?source=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 14, 2026

🟠 CVE-2026-2144 - High (8.1) The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2144/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(6 repos)

• https://github.com/you-ssef9/CVE-2026-21440
• https://github.com/chinaxploiter/CVE-2026-21445-PoC
• https://github.com/TibbersV6/CVE-2026-21440-POC-EXP
• https://github.com/jermaine22sei/CVE-2026-2144-exploit
• https://github.com/redpack-kr/Ashwesker-CVE-2026-21440
• https://github.com/k0nnect/cve-2026-21440-writeup-poc

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner