– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2144 (metadata-based):
The Magic Login Mail or QR Code plugin for WordPress contains an unauthenticated privilege escalation vulnerability. The flaw exists in the plugin’s QR code generation and email dispatch logic. Attackers can exploit a race condition to hijack a one-time login link intended for any user, including administrators, leading to full account compromise.

Atomic Edge research identifies the root cause as improper privilege management (CWE-269). The vulnerability description confirms the plugin creates a predictable file named QR_Code.png in the public uploads directory during the email sending process. The file contains the login URL encoded in the QR code. The plugin only deletes this file after the wp_mail() function completes. This sequence creates a race condition window where the file is publicly accessible. This analysis infers the plugin likely uses a hook like wp_ajax_nopriv_ to handle unauthenticated login link requests, as the description states attackers can trigger a request for any user.

Exploitation requires two concurrent steps. First, an attacker sends a request to the plugin’s unauthenticated AJAX endpoint, likely /wp-admin/admin-ajax.php, with an action parameter such as magic_login_mail_request_link and a target user parameter like user_email or user_id. This triggers the generation of the QR_Code.png file. Second, the attacker must rapidly and repeatedly request the predictable file URL, /wp-content/uploads/{year}/{month}/QR_Code.png, during the brief window before deletion. Successful retrieval of the image allows decoding of the QR code to extract the login URL, granting immediate access to the targeted account.

Remediation requires eliminating the insecure temporary file storage. The patched version likely removed the file-based QR code generation step from the email sending workflow. A secure fix would generate the QR code image in memory and attach it directly to the email without writing to the filesystem. Alternatively, the plugin could generate a cryptographically random, unguessable filename and implement immediate file cleanup with a proper exception handler to ensure deletion even if wp_mail() fails.

The impact of successful exploitation is severe. An unauthenticated attacker can gain administrative access to a WordPress site. This leads to complete site takeover, allowing installation of backdoors, theme/plugin editing, user creation or deletion, and data exfiltration. The attack chain is reliable if the attacker can win the race condition, which network latency and automated tools can facilitate.