I ended up using curl to login to the wp-admin page and sent a request to each post that misses the qr code.
<?php
$curl = curl_init();
//---------------- generic cURL settings start ----------------
$header = array(
"Referer: https://my.wordpress.com/wp-login.php",
"Origin: https://my.wordpress.com",
"Content-Type: application/x-www-form-urlencoded",
"Cache-Control: no-cache",
"Pragma: no-cache",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15"
);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15');
curl_setopt($curl, CURLOPT_AUTOREFERER, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_COOKIESESSION, true);
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookies.txt');
//---------------- generic cURL settings end ----------------
$url="https://my.wordpress.com/wp-admin";
curl_setopt($curl, CURLOPT_URL, $url);
$post="log=user&pwd=my-safe-password&wp-submit=Log+In&redirect_to=https%3A%2F%2Fmy.wordpress.com%2Fwp-admin";
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
$output = curl_exec($curl);
$url="https://my.wordpress.com/wp-admin/post.php?post=123&action=edit";
curl_setopt($curl, CURLOPT_URL, $url);
$output = curl_exec($curl);
curl_close ($curl);
echo ($output);