Account activated without e-mail verification

[vasyugan]

EXPLANATION OF THE ISSUE

I am currently helping out the owner of a site who at the same time uses s2 pro and the Stop Spammers Registration plugins for wordpress. What I notice is that accounts of newly registered users are immediately active, no verification of the address via a confirmation email is undertaken.

I am still trying to understand what the cause might be, but it seems s2 is interfering with the registration process, because as soon as I disable it, WordPress' own registration settings kick in.

STEPS TO REPRODUCE THE ISSUE

• complete the WP registration form
• submit

  BEHAVIOR THAT I EXPECTED

the confirmation email should contain a verification link, only after visiting it should the account be activiated

BEHAVIOR THAT I OBSERVED

The account becomes active immediately, allowing anyone to use fake addresses for the registration.

[vasyugan]

Sorry, probably unrelated, problem persists after plugin is deactivated

[jaswrks]

Copy that. Thanks for reporting anyway. Glad to hear it wasn't related specifically to s2Member.

[vasyugan]

Actually on closer inspection, I have found that it is indeed an issue with the s2member framework: If Wordpress' own registration dialogue is used, one can only enter one's name and e-mail at registration time. After that, an email with a "set password" link is mailed to you, and sure enough, as long as you haven't set your password, using that link, you cannot log on.

The problem seems to be with the s2 members plugin, because it imposes its own custom registration dialogue, in which a password has to be chosen at registration time already. After that, you still receive mail with a set password link, but you can already log on as you already have a password. This way, the mechanism which is supposed to verify the address is circumvented.

[vasyugan]

oh well, now I have found that the password field can be removed from the registration. I would still consider this a security issue, because it allows anyone to register an account under any address. Please decide for yourselves whether this is a bug or a feature.

[raamdev]

@vasyugan Are you aware that you can disable Open Registration in s2Member → General Options → Open Registration?

I'm not seeing what the issue is here in this GitHub issue.