From 781944061e1d4f44c6b3799e96c077bb0c4fd50c Mon Sep 17 00:00:00 2001
From: Jonathan Caron <jonathan.caron04@gmail.com>
Date: Wed, 5 Feb 2025 11:44:37 +0100
Subject: [PATCH] Fix: Prevent registration bypass when user registration is
 disabled

---
 src/wp-login.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/wp-login.php b/src/wp-login.php
index 0d824dea655ea..8822df8a56325 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -11,6 +11,11 @@
 /** Make sure that the WordPress bootstrap has run before continuing. */
 require __DIR__ . '/wp-load.php';
 
+// Prevent registration if the users_can_register option is disabled
+if (isset($_GET['action']) && $_GET['action'] === 'register' && !get_option('users_can_register')) {
+    wp_die(__('Registration is disabled on this site.'));
+}
+
 // Redirect to HTTPS login if forced to use SSL.
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( str_starts_with( $_SERVER['REQUEST_URI'], 'http' ) ) {