WordPress.org
Get WordPress

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#62905 closed defect (bug) (invalid)

Prevent registration bypass when user registration is disabled

Reported by: jonathancaron02's profile jonathancaron02 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch close reporter-feedback
Focuses: Cc:

Description

Fix: Prevent registration bypass when user registration is disabled

Problem Description:

After extensive testing, I discovered a potential vulnerability in the default WordPress registration form. This issue occurs even when user registration is disabled (users_can_register set to 0). It allows spammers to bypass the restriction and create accounts, resulting in spam registrations and automated email notifications.

Steps to Reproduce:

  1. Send a POST request to /wp-login.php?action=register.
  2. Headers:
    • Content-Type: application/x-www-form-urlencoded
  3. Body (as x-www-form-urlencoded): 
    user_login=testuser
user_email=testuser@example.com
user_pass=TestPassword123
wp-submit=Register
redirect_to=
  4. Response: If the same request is repeated, an error is displayed indicating that the username and email are already in use.
  5. Redirect Behavior: The bypass works only when redirect following is disabled.

Root Cause:

The wp-login.php file does not validate whether the users_can_register option is disabled when processing registration requests.

Solution:

This patch introduces a check to block access to the registration process if the users_can_register option is set to 0. This ensures that no new accounts can be created through this endpoint unless registration is explicitly enabled.

Change History (5)

This ticket was mentioned in PR #8258 on WordPress/wordpress-develop by @jonathancaron02.
3 months ago #1

  • Keywords has-patch added

Trac ticket: https://core.trac.wordpress.org/ticket/62905

<h2>Fix: Prevent registration bypass when user registration is disabled</h2>

<h3>Problem Description:</h3>
<p>
After extensive testing, I discovered a potential vulnerability in the default WordPress registration form. This issue occurs even when user registration is disabled (<code>users_can_register</code> set to <code>0</code>). It allows spammers to bypass the restriction and create accounts, resulting in spam registrations and automated email notifications.
</p>

<h3>Steps to Reproduce:</h3>
<ol>

<li><strong>Send a POST request</strong> to <code>/wp-login.php?action=register</code>.</li>
<li><strong>Headers:</strong></li>
<ul>

<li>Content-Type: <code>application/x-www-form-urlencoded</code></li>

</ul>
<li><strong>Body</strong> (as <code>x-www-form-urlencoded</code>):</li>
<pre>

user_login=testuser
user_email=testuser@…
user_pass=TestPassword123
wp-submit=Register
redirect_to=

</pre>
<li><strong>Response:</strong></li>
<p>If the same request is repeated, an error is displayed indicating that the username and email are already in use.</p>
<li><strong>Redirect Behavior:</strong></li>
<p>The bypass works only when redirect following is disabled.</p>

</ol>

<h3>Root Cause:</h3>
<p>
The <code>wp-login.php</code> file does not validate whether the <code>users_can_register</code> option is disabled when processing registration requests.
</p>

<h3>Solution:</h3>
<p>
This pull request introduces a check to block access to the registration process if the <code>users_can_register</code> option is set to <code>0</code>. This ensures that no new accounts can be created through this endpoint unless registration is explicitly enabled.
</p>

@jonathancaron02 commented on PR #8258:
3 months ago #2

Trac ticket added

#3 @swissspidy
3 months ago

  • Keywords close added

Hi there and welcome to WordPress Trac!

Since you've started your message with " I discovered a potential vulnerability", think twice about sharing such things publicly. Imagine the damage you could cause with that!

Next time, please learn more about reporting potential security vulnerabilities responsibly and privately.

With that said, I cannot confirm your report. There is already a redirect in place if registration is disabled:

https://github.com/WordPress/wordpress-develop/blob/7d10dd7b0fde2a782395887c2d66439481440f9b/src/wp-login.php#L1102-L1118

You might be using a plugin or theme that alters the standard flow on the login page that causes this behavior. In that case you should report it to that plugin or theme — again, responsibly and privately.

#4 @dd32
3 months ago

  • Keywords reporter-feedback added
  • Milestone Awaiting Review deleted

Based on the linked PR being closed by the author, and there being no clear reproduction I'm marking this as invalid assuming that this was caused by a plugin interaction.

@jonathancaron02 If you have further details to provide that points to a core vulnerability, please report it via HackerOne as noted on the following page:
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

#5 @dd32
3 months ago

  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.