Magic Login Mail or QR Code Security & Risk Analysis
wordpress.org/plugins/magic-login-mailEnter your email address, and send you an email with a magic link or QR Code to login without a password.
Is Magic Login Mail or QR Code Safe to Use in 2026?
Generally Safe
Score 97/100Magic Login Mail or QR Code has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The magic-login-mail plugin, version 2.06, exhibits a mixed security posture. On the positive side, the static analysis reveals no direct attack surface exposed through AJAX, REST API, shortcodes, or cron events. Furthermore, the code demonstrates good output escaping practices, with all identified outputs being properly escaped, and there are no identified dangerous functions, file operations, or external HTTP requests. However, a significant concern arises from the presence of a single SQL query that does not utilize prepared statements. This indicates a potential for SQL injection vulnerabilities if user-supplied data is directly incorporated into this query. The vulnerability history reveals a past high-severity CVE related to Improper Privilege Management. While there are no currently unpatched vulnerabilities, this history suggests a tendency for critical security flaws to emerge in this plugin, requiring diligent monitoring and prompt patching of any future disclosures.
Key Concerns
- Raw SQL query without prepared statements
- Past high severity CVE (Improper Privilege Management)
Magic Login Mail or QR Code Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage
Magic Login Mail or QR Code Release Timeline
Magic Login Mail or QR Code Code Analysis
SQL Query Safety
Magic Login Mail or QR Code Attack Surface
Maintenance & Trust
Magic Login Mail or QR Code Maintenance & Trust
Maintenance Signals
Community Trust
Magic Login Mail or QR Code Alternatives
User Verification by PickPlugins
user-verification
Email verification for user registration to protect spam.
Email OTP Authenticator – Login, Register, 2FA & Session Lock
email-otp-authenticator
An advanced OTP-powered plugin for Login, Registration, 2FA Protection and Dynamic Session Security. It is FAST, FRIENDLY, SMART, SMOOTH & SECURE.
Magic Emails & Autologin URLs
bh-wp-autologin-urls
Adds magic email link to login screen. Adds single-use passwords to WordPress emails' URLs for frictionless login.
Multibyte CAPTCHA login and Mail only register
user-mail-only-register
Multibyte CAPTCHA login form and register users with mail only.
VentraConnect – Social Login, Magic Link & Email OTP (Passwordless)
ventraconnect-social-login
Social login with 15+ providers plus passwordless login (Magic Link & Email OTP), with Guardrails to block spam registrations.
Magic Login Mail or QR Code Developer Profile
54 plugins · 56K total installs
How We Detect Magic Login Mail or QR Code
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/magic-login-mail/lib/js/magicloginmail.js/wp-content/plugins/magic-login-mail/lib/css/magicloginmail.css/wp-content/plugins/magic-login-mail/lib/js/magicloginmail.jsmagic-login-mail/lib/js/magicloginmail.js?ver=magic-login-mail/lib/css/magicloginmail.css?ver=HTML / DOM Fingerprints
magic-login-mail-formmagic-login-mail-btnmagic-login-mail-login-errormagic-login-mail-message<!-- Magic Login Mail or QR Code --><!-- BEGIN magic login mail --><!-- END magic login mail -->data-magicloginmail-emaildata-magicloginmail-actionmagicLoginMailObject[magic_login_mail_form]