The Magic Login plugin contains a high-severity privilege escalation flaw that could allow users to bypass authentication and gain administrative control of the site.

This plugin, designed to facilitate easier logins, contains a flaw in its authentication logic. Attackers can exploit this to elevate their privileges, potentially bypassing the "magic" link or QR code requirements to log in as an administrator.

The ability to escalate privileges directly undermines the security model of the WordPress site. An attacker gaining administrative access can modify content, steal user data, or install malicious software. The CVSS score of 8.1 indicates a high level of risk to organizational security.

Immediate Action: Update the Magic Login Mail or QR Code plugin to the latest version immediately. If no patch is available, consider disabling the plugin until one is released.

Proactive Monitoring: Review user login logs for any successful administrative logins that did not follow standard procedures or occurred at unusual times.

Compensating Controls: Enforce multi-factor authentication (MFA) through a separate, trusted security provider to provide a layer of protection even if the plugin's logic is bypassed.

Public Exploit Available: false

Apply the necessary updates immediately. Because this plugin handles the authentication process, any vulnerability within it is critical. Organizations should evaluate if the convenience of "magic" logins outweighs the risk posed by such vulnerabilities.