search

julien731 / AuthPress

Add 2-factor authentication to your WordPress blog site.
https://wordpress.org/plugins/wp-google-authenticator/
GNU General Public License v3.0
16 stars 11 forks source link

2FA not Enforced if a User has an Additional Capability and wpga_active not Set #43

Open asif-anwar opened 3 years ago

asif-anwar commented 3 years ago

Hey,

I want to report a corner case. We have enforced 2FA for a select list of roles. But the user is able to log in without 2FA if,

  1. The user has a capability directly assign to him in addition to a normal role like this a:2:{s:14:"capability_new";b:1;s:10:"subscriber";b:1;},
  2. And _wpgaactive meta key is not set. We have a lot of cases where the 2FA is active but _wpgaactive is not set
  3. And the capability comes before the role.

Thanks Asif