Description of the issue:

The subscription activation flow does not properly validate email ownership. It is possible to register an account and activate an educational subscription using a non-existent or unverified email address.

Steps to reproduce:

Open the subscription or registration page.

Enter an email address that is syntactically valid but not owned or accessible (e.g., a non-existent inbox).

Complete the registration/subscription process.

The subscription becomes active without any email verification or ownership confirmation.

Expected behavior:

The system should require verification of email ownership (e.g., confirmation link or code) before activating the subscription or granting access to educational resources.

Actual behavior:

The subscription is activated immediately without verifying that the provided email address belongs to the user.

Impact / severity:

This issue allows unauthorized access to subscription-based educational content and may lead to financial loss, abuse of the service, and inaccurate user data. It can be exploited at scale and therefore should be treated as a high-priority issue.

Additional notes:

This issue was identified during security testing. No automated exploitation or mass registration was performed.

I discovered this issue unintentionally and will not use the accounts created in the process. I decided to report the problem responsibly instead of exploiting it.

You may ban and delete these accounts or simply cancel the subscription associated with them. I did not intentionally attempt to bypass any restrictions, and the vulnerability was found accidentally.