2FA can be bypassed in Multisite by logging in to a site where you have no role
-
Hello,
2 Factor Authentication can be bypassed in Multisite by logging in to a site where you have no role.
Steps to reproduce:
1. Open https://wpdefender.cloud77.com/wp-signup.php
2. Register a new account and a new site
3. Activate your 2FA
4. If you login to https://wpdefender.cloud77.com/<your_new_site>/wp-admin, the 2FA prompt will appear just fine. However, if you login to https://wpdefender.cloud77.com/wp-admin or https://wpdefender.cloud77.com/adrianw/wp-admin, you’ll be able to bypass 2FAWorkaround:
1. On /app/module/advanced-tools/component/auth-api.php, in isEnableForCurrentRole, replace
return count( $allowedForThisRole ) > 0;withcount( $allowedForThisRole ) > 0 || count( $user->roles ) == 0;2. On /app/module/advanced-tools/controller/main.php, in defenderVerifyOTP, add
'blog_id' => 0,before'meta_key' => 'defOTPLoginToken',Please let me know if you have any question.
Thanks,
The page I need help with: [log in to see the link]
- The topic ‘2FA can be bypassed in Multisite by logging in to a site where you have no role’ is closed to new replies.
