Hi,
Thanks for the report. This is a confirmed bug in the QR code generator that the two-factor module renders on the user profile screen, and there is a quick way to get back in.
What is happening: the otpauth payload encoded into the QR includes your site name twice (once as the account label and once as the issuer). The QR encoder bundled in the recent release has a sizing limit; when the site name is long or contains non-ASCII characters (each one expands to several bytes once URL-encoded), the data goes past that limit and the encoder halts the whole page with the “code length overflow” fatal you saw. The encoder is meant to fall back to our remote QR service when local generation fails, but this particular error type stops the page before that fallback can run.
The quickest fix (no code, fully reversible):
Temporarily shorten your Site Title to a short plain-ASCII value, then reload the user screen.
- Go to Settings > General in wp-admin.
- Set Site Title to something short using only standard A-Z letters (for example, “Site”).
- Save, then open the user profile again. It will load normally.
You can switch the title back afterward. If the longer title brings the error back, use the persistent option below so you can keep your original title.
Persistent fix that keeps your current Site Title (optional, one small file):
Create a file named solid-security-2fa-qr-fix.php inside wp-content/mu-plugins/ (create the mu-plugins folder if it does not exist) with this content:
<?php
/**
* Plugin Name: Kadence Security 2FA QR Overflow Hotfix
* Description: Converts the uncatchable "code length overflow" E_USER_ERROR in the bundled QR encoder into an ErrorException so the plugin's own try/catch falls back to remote QR generation.
* Version: 1.0.0
*/
add_action( 'plugins_loaded', function () {
$previous = set_error_handler( function ( $severity, $message, $file, $line ) use ( &$previous ) {
$is_overflow = ( $severity === E_USER_ERROR )
&& ( strpos( $message, 'code length overflow' ) === 0 )
&& ( strpos( $file, 'two-factor/includes/qr-code.php' ) !== false
|| strpos( $file, 'two-factor\\includes\\qr-code.php' ) !== false );
if ( $is_overflow ) {
throw new ErrorException( $message, 0, $severity, $file, $line );
}
if ( is_callable( $previous ) ) {
return call_user_func( $previous, $severity, $message, $file, $line );
}
return false;
} );
}, 0 );
This converts that one specific error into a normal exception, which the plugin already knows how to handle, so it quietly switches to remote QR generation and the page loads as expected. It only acts on that exact error and passes everything else through untouched. To remove it later, just delete the file. It is a good idea to take a quick backup before adding a must-use plugin file, just in case.
Kind regards,
Pawel P.
