as247
Forum Replies Created
-
you may do it in set_auth_cookie action, when wp_set_auth_cookie is called it trigger set_auth_cookie action.
@technicalx Please try
wp2sv()->get(‘auth’)->setCookie($user_id, $remember) after
wp_set_auth_cookie( $user_id, $remember, ”, $new_token );Hi
When using the “Login As” feature (switching to another user from admin), WP2SV may still require two-step verification.
To mark the session as already having passed two-step verification, add:
add_action(‘wp2sv_handle’, function ($wp2sv) {
$wp2sv->make(‘handler’)->passed();
},9);
You may also disable wp2sv for safe request
add_action(‘wp2sv_trusted_request’,’__return_true’)
Hope this helpForum: Plugins
In reply to: [WP 2-step verification] TOTP secret disclosed to third‑party QR serviceHi joostgrunwald,
Thanks for your findings and concerns regarding the potential exposure of the TOTP secret to third-party QR code services.
Before version 2.6.3, the plugin used Google’s QR code API to generate QR codes. While this method exposed the TOTP secret to a third-party service via HTTP requests, the risk of Google actively intercepting or misusing this data is very low, given their reputation and business model.
Starting from version 2.6.3, we have switched to rendering QR codes entirely on the client side using JavaScript, without relying on any external QR code generation services. You can review the relevant code here:
https://plugins.trac.ww.wp.xz.cn/browser/wordpress-2-step-verification/tags/2.6.3/resources/js/components/authenticator.vueHere is the key snippet responsible for rendering the QR code locally:
renderQrCodes() {
let size = this.qr_size || 128;
let qrCodeDivs = document.getElementsByClassName('wp2sv-qrcode-render');
if (qrCodeDivs.length === 0 || typeof QRCode === 'undefined') {
console.log('No QR code divs found or no data to render QR code', qrCodeDivs.length, typeof QRCode === 'undefined');
return false;
}
try {
for (let i = 0; i < qrCodeDivs.length; i++) {
new QRCode(qrCodeDivs[i], {
text: this.qr_data,
width: size,
height: size,
correctLevel: QRCode.CorrectLevel.M,
});
}
return true;
} catch (e) {
return false;
}
}The fallback to a third-party QR code image URL is included as a safety net but is almost never triggered in real usage.
Unused external QR code services were removed in version 2.6.4 to further reduce any risk.
Therefore, there is no vulnerability related to TOTP secret exposure via QR code generation.
Forum: Plugins
In reply to: [WP 2-step verification] PHP warning: Private methods cannot be finalFixed in v2.6.3
Forum: Plugins
In reply to: [WP 2-step verification] Nothing is being acceptedThat mean you input wrong code too many times, you can try again later or use recovery method.
Forum: Plugins
In reply to: [WP 2-step verification] QR code is not displayedFixed in v2.6.2
I mean wp2sv app passwords, please check this
you should see there is an “app passwords” section
Hi @technicalx, please try to use App Password to connect.
Forum: Plugins
In reply to: [WP 2-step verification] Remember this computer for 30 days not working
Just checked latest version and it’s working on my end. I think it may conflict with your plugins, could you try again with all other plugins disabled.
Forum: Plugins
In reply to: [WP 2-step verification] Remember this computer for 30 days not workingPlease open developer tool and check the cookie in your browser, there should be a cookie like wp2sv_sec_{hash}, example wp2sv_sec_2c1978df4ba5a3163128c8ac53c22a11. Please check expiration date on this cookie item.
Forum: Plugins
In reply to: [WP 2-step verification] Remember this computer for 30 days not workingHi. Please refrain from using the logout function, as it will also clear the remembered token.
Forum: Plugins
In reply to: [WP 2-step verification] bug: is_ajax is undefinedFixed in v2.6.1
Forum: Plugins
In reply to: [WP 2-step verification] Server Time not SyncServer and local time difference is normal, just verify time is correct.
Forum: Plugins
In reply to: [WP 2-step verification] Woocommerce 2-step page gives 404 (advice)@lvbac we need to have permanlink enabled, seem you doesn’t have permalink enabled properly and all pages become 404 not found. This isssue not related to plugin, that should related to server/settings.