Not secure

@hongamtan Could you please elaborate on this? Did you enable one of the two factor methods in the user profile? What are the steps to reproduce the issue?

Hello, I’m using wordpress app on android, and after i enable plugin i still able use app to create post, note that if i’m admin so i can have unfiltered html, then here is flow for attacker.
-> Login to android app -> create post with embed js code to turn off two factor -> then wait admin to visit the post -> then two factor can be turn off without enter code from step 2.

Has this been fixed if exists?

I am keeping a close eye on this thread as I am also keen to a response from the author @kasparsd.

The official WordPress Android app uses the XML-RPC endpoint of your blog instead of the standard login flow.

For protecting the XML-RPC endpoint you could install the Application Passwords plugin.

We could also add a fix to this plugin which prevents users with the two-factor plugin configured from logging-in through the REST/XML-RPC endpoints. I’ve re-opened this issue on GitHub and we’ll use that to track the progress of this.

-> Login to android app -> create post with embed js code to turn off two factor -> then wait admin to visit the post -> then two factor can be turn off without enter code from step 2.

@hongamtan The JS code couldn’t do that because there is a referrer and nonce check for all updates to use profile.

The latest version 0.4.0 has been release and it blocks all login requests via REST and XML-RPC API for users that have at least one two factor method enabled.

Thanks for the follow up.

Well, I would like to thank you for your time taken, you people are the ones who make the www great, thanks!