From 439cbb99a471dfebf116f1ae9cd38ed3de6e174e Mon Sep 17 00:00:00 2001
From: Jonathan Caron <jonathan.caron04@gmail.com>
Date: Wed, 5 Feb 2025 11:44:37 +0100
Subject: [PATCH] Fix: Prevent registration bypass when user registration is
 disabled (Trac #62905)

---
 src/wp-login.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/wp-login.php b/src/wp-login.php
index 0d824dea655ea..858cb2386f854 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -11,6 +11,24 @@
 /** Make sure that the WordPress bootstrap has run before continuing. */
 require __DIR__ . '/wp-load.php';
 
+/**
+ * Prevents user registration if the 'users_can_register' option is disabled.
+ *
+ * This function checks if user registration is disabled (`users_can_register` = 0)
+ * and blocks access to the registration page (`wp-login.php?action=register`) by 
+ * displaying an error message.
+ *
+ * @since 6.7.1
+ */
+function disable_wp_registration() {
+    if ( ! get_option( 'users_can_register' ) && isset( $_GET['action'] ) && 'register' === $_GET['action'] ) {
+        wp_die(
+            apply_filters( 'disable_registration_message', __( 'Registration is disabled on this site.', 'default' ) )
+        );
+    }
+}
+add_action( 'init', 'disable_wp_registration' );
+
 // Redirect to HTTPS login if forced to use SSL.
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( str_starts_with( $_SERVER['REQUEST_URI'], 'http' ) ) {