Login is itself an XML command so in theory that could also be hacked.
Like @silisili said most of the registry operators require client certs and ips to go with the usernames but it is very possible that they are only checking that after getting a login.
CoCCA run by the tiny zones with no budgets. They are likely to be VERY vulnerable to this.
In addition, they seemed to have access to the source code, whereas the opensource version hasn't been updated in more than 8 years.
Maybe this is the result of a whitebox security audit?