Magic Login Mail or QR Code Privilege Escalation Vulnerability in WordPress Plugin

A privilege escalation vulnerability has been identified in the Magic Login Mail or QR Code plugin for WordPress, affecting all versions through 2.05. The vulnerability arises because the plugin saves the magic login QR code image with a static filename in the publicly accessible WordPress uploads directory. This file is only removed after the email sending process is complete, creating a race condition. Exploiting this flaw, unauthenticated attackers can request a login link for any user, including administrators, and take advantage of the timing issue to intercept the login URL encoded in the QR code, gaining unauthorized access to the user's account.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, send a login link request through the Magic Login Mail or QR Code plugin. This can be done by submitting an email address via the plugin's shortcode or email action. Once the request is sent, quickly access the WordPress uploads directory to retrieve the QR code image before it is deleted. The login URL encoded in the intercepted QR code can then be used to log in as the targeted user.

Remediation

Users are advised to uninstall the affected plugin and seek a replacement, as no patch is currently available.