Fix: Prevent registration bypass when user registration is disabled

src/wp-login.php

@@ -11,6 +11,11 @@
 /** Make sure that the WordPress bootstrap has run before continuing. */
 require __DIR__ . '/wp-load.php';
 
+// Prevent registration if the users_can_register option is disabled
+if (isset($_GET['action']) && $_GET['action'] === 'register' && !get_option('users_can_register')) {
+    wp_die(__('Registration is disabled on this site.'));
+}
+
 // Redirect to HTTPS login if forced to use SSL.
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( str_starts_with( $_SERVER['REQUEST_URI'], 'http' ) ) {