From 1be422d54fa9c0f01a3c19fd6c3ab7fcbc4a4ce8 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 9 Feb 2026 22:53:46 +0200
Subject: [PATCH 1/2] fix: ensure execution stops after redirects.

---
 class-two-factor-core.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 0f864334..07730d92 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Two Factore Core Class.
+ * Two Factor Core Class.
  *
  * @package Two_Factor
  */
@@ -1479,7 +1479,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 		// Validate the request.
 		if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
 			wp_safe_redirect( home_url() );
-			return;
+			exit();
 		}
 
 		$provider = self::get_provider_for_user( $user, $provider );
@@ -1567,6 +1567,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 
 		$redirect_to = apply_filters( 'login_redirect', $redirect_to, $redirect_to, $user ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress filter.
 		wp_safe_redirect( $redirect_to );
+		exit();
 	}
 
 
@@ -1602,7 +1603,7 @@ public static function login_form_revalidate_2fa() {
 	public static function _login_form_revalidate_2fa( $nonce = '', $provider = '', $redirect_to = '', $is_post_request = false ) {
 		if ( ! is_user_logged_in() ) {
 			wp_safe_redirect( home_url() );
-			return;
+			exit();
 		}
 
 		$user = wp_get_current_user();
@@ -1610,7 +1611,7 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 		// Validate the nonce for POST requests. GET requests do not perform actions, and such do not require the nonce (such as the initial request).
 		if ( $is_post_request && ! wp_verify_nonce( $nonce, 'two_factor_revalidate_' . $user->ID ) ) {
 			wp_safe_redirect( home_url() );
-			return;
+			exit();
 		}
 
 		$provider = self::get_provider_for_user( $user, $provider );
@@ -1665,7 +1666,7 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 
 		$redirect_to = apply_filters( 'login_redirect', $redirect_to, $redirect_to, $user ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress filter.
 		wp_safe_redirect( $redirect_to );
-		return;
+		exit();
 	}
 
 	/**

From f5c261984525540bb416924fd5659dd828f7975e Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Tue, 10 Feb 2026 00:48:06 +0200
Subject: [PATCH 2/2] style: use `exit;` to stay aligned with WP coding
 standards

---
 class-two-factor-core.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 07730d92..63fc896f 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1479,7 +1479,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 		// Validate the request.
 		if ( true !== self::verify_login_nonce( $user->ID, $nonce ) ) {
 			wp_safe_redirect( home_url() );
-			exit();
+			exit;
 		}
 
 		$provider = self::get_provider_for_user( $user, $provider );
@@ -1567,7 +1567,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider =
 
 		$redirect_to = apply_filters( 'login_redirect', $redirect_to, $redirect_to, $user ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress filter.
 		wp_safe_redirect( $redirect_to );
-		exit();
+		exit;
 	}
 
 
@@ -1603,7 +1603,7 @@ public static function login_form_revalidate_2fa() {
 	public static function _login_form_revalidate_2fa( $nonce = '', $provider = '', $redirect_to = '', $is_post_request = false ) {
 		if ( ! is_user_logged_in() ) {
 			wp_safe_redirect( home_url() );
-			exit();
+			exit;
 		}
 
 		$user = wp_get_current_user();
@@ -1611,7 +1611,7 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 		// Validate the nonce for POST requests. GET requests do not perform actions, and such do not require the nonce (such as the initial request).
 		if ( $is_post_request && ! wp_verify_nonce( $nonce, 'two_factor_revalidate_' . $user->ID ) ) {
 			wp_safe_redirect( home_url() );
-			exit();
+			exit;
 		}
 
 		$provider = self::get_provider_for_user( $user, $provider );
@@ -1666,7 +1666,7 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 
 		$redirect_to = apply_filters( 'login_redirect', $redirect_to, $redirect_to, $user ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- Core WordPress filter.
 		wp_safe_redirect( $redirect_to );
-		exit();
+		exit;
 	}
 
 	/**