Bug #16792
closedUpdate Two Factor plugin to 0.7.2
0%
Description
As Jeremy mentioned there is a new, security update for the Two Factor plugin.
The main change is https://github.com/WordPress/two-factor/pull/453. (Specifically, https://github.com/WordPress/two-factor/pull/453/commits/5ff442a9ba868ade098826d5afcf71104ac1407b.) And the two-factor
plugin is now hashing the key that generates the login nonce instead of leaving it in the clear in user meta.
I don't think this necessitates pushing an update to production immediately as an attacker would need DB access in order to fetch the key. Also login nonces are deleted immediately after successful 2FA logins, so the attack vector is minimal.
I'll stage the update for 2.0.8 for now and we can make a decision whether we want to push it to production before the next maintenance update.