[wp-trac] [WordPress Trac] #62905: Prevent registration bypass when user registration is disabled

WordPress Trac noreply at wordpress.org
Wed Feb 5 10:50:15 UTC 2025 

#62905: Prevent registration bypass when user registration is disabled
------------------------------------+-----------------------------
 Reporter:  jonathancaron02         |      Owner:  (none)
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 == Fix: Prevent registration bypass when user registration is disabled ==

 === Problem Description: ===
 After extensive testing, I discovered a potential vulnerability in the
 default WordPress registration form. This issue occurs even when user
 registration is disabled (`users_can_register` set to `0`). It allows
 spammers to bypass the restriction and create accounts, resulting in spam
 registrations and automated email notifications.

 === Steps to Reproduce: ===
  1. **Send a POST request** to `/wp-login.php?action=register`.
  2. **Headers:**
     * Content-Type: `application/x-www-form-urlencoded`
  3. **Body** (as `x-www-form-urlencoded`):
     {{{
     user_login=testuser
     user_email=testuser at example.com
     user_pass=TestPassword123
     wp-submit=Register
     redirect_to=
     }}}
  4. **Response:**
     If the same request is repeated, an error is displayed indicating that
 the username and email are already in use.
  5. **Redirect Behavior:**
     The bypass works only when redirect following is disabled.

 === Root Cause: ===
 The `wp-login.php` file does not validate whether the `users_can_register`
 option is disabled when processing registration requests.

 === Solution: ===
 This patch introduces a check to block access to the registration process
 if the `users_can_register` option is set to `0`. This ensures that no new
 accounts can be created through this endpoint unless registration is
 explicitly enabled.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62905>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list