Users registered with email verification can self re-activate their disabled accounts

STEPS TO REPRODUCE:

1. Login as Admin
2. Go to Administer Wiki > Users & Rights > Users
3. Create an user (e.g. U1)
4. Go to Administer Wiki > Users & Rights > Registration
5. Set USE EMAIL VERIFICATION to 'Yes' and Save
6. Logout
7. Click Drawer > 'Register'
8. Fill the credentials for a new user (e.g. U2) with a valid email
9. Click 'Register'
10. Go to U2's received email and click the link to validate his account
11. Login as Admin
12. Go to Administer Wiki > Users & Rights > Users and disable both U1 and U2's accounts
13. Login with U1
14. Login with U2

EXPECTED RESULTS

When logged in, both U1 and U2 get a Notice:

Your account has been disabled. Please contact the administrator if you think this is a mistake.

They can login only if their account was enabled back by Admin.

ACTUAL RESULTS

User U1 (created before enforcing the email verification) gets the notice about account being disabled, but user U2 gets the notice about his account not been active because his email has not yet been confirmed.

If the user U2 inserts the validation key or clicks again on the validation link from his email, it can successful login afterwards, which can cause some potential security risk (for example if his account was disabled by Admin for important reasons like misbehavior, spamming, etc.)

The issue reproduces also on XWiki 12.6.2 and XWiki 11.10.10.