Improper Input Validation

Summary

The 'Login::register()' method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled, and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with the admin.super privileges by injecting these fields into the registration request. This is a missing server-side validation issue -- the only defense is a config-level fields allowlist, which is an admin-facing setting, not a hardcoded security boundary. The affected versions are prior to 2.0.0-beta.2.