From b222e6399bd2249913dcd03a17a4810b61baa787 Mon Sep 17 00:00:00 2001
From: Jonathan Caron <jonathan.caron04@gmail.com>
Date: Wed, 5 Feb 2025 11:15:56 +0100
Subject: [PATCH] Fix: Prevent registration bypass when user registration is
 disabled

---
 wp-login.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wp-login.php b/wp-login.php
index 0d824dea65..6c056fc8f7 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -11,6 +11,11 @@
 /** Make sure that the WordPress bootstrap has run before continuing. */
 require __DIR__ . '/wp-load.php';
 
+// 🔴 Security Fix: Prevent user registration if "Anyone can register" is disabled
+if (isset($_GET['action']) && $_GET['action'] === 'register' && !get_option('users_can_register')) {
+    wp_die('Inscription désactivée.', 'Erreur', array('response' => 403));
+}
+
 // Redirect to HTTPS login if forced to use SSL.
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( str_starts_with( $_SERVER['REQUEST_URI'], 'http' ) ) {