High severity8.1NVD Advisory· Published Nov 4, 2016· Updated May 6, 2026

CVE-2016-8870

Description

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

Affected products

Joomla/Joomla!
cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Range: <=3.6.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcfnvdPatch
www.exploit-db.com/exploits/40637/nvdExploitThird Party Advisory
www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privescnvdThird Party Advisory
www.securityfocus.com/bid/93876nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1037108nvdThird Party AdvisoryVDB Entry
developer.joomla.org/security-centre/659-20161001-core-account-creation.htmlnvdVendor Advisory
www.securitytracker.com/id/1037107nvd
blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.htmlnvd
medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2nvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.073
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000