Pie Register < 3.8.4.10 – Unauthenticated Email Verification Bypass via Predictable Token | CVE 2026-10530

Description

The plugin does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox.

Proof of Concept

1. On a site running Pie Register <= 3.8.4.9 with Email Link Verification enabled, register an account via the Pie Register form.
2. Capture the server time from the HTTP Date response header (e.g. "Mon, 01 Jun 2026 09:50:49 GMT" = unix 1780307449).
3. The activation token is generated as md5(time()). Compute md5() for each timestamp in a +/-2s window (about 5 candidates).
4. Submit each candidate to: GET /login/?action=activate&activation_key=<md5hash>&pie_id=<username>
5. One candidate activates the account (active=1) with no access to the email inbox.

Verified in DDEV on 3.8.4.9: the stored activation hash equalled md5(<Date-header timestamp>) exactly, the activation endpoint accepted the predicted token, and the account then authenticated. Confirmed fixed in 3.8.4.10, where tokens are generated with wp_generate_password(32, false) and the predicted-token attack no longer succeeds.