Joomla! 3.6.4 was released yesterday, patching a critical privilege escalation and arbitrary account creation vulnerability. An attacker can override any properties present in the JUser class- which will be saved in the database not long after that as a new user. As the two methods are publicly accessible, it allows users to create accounts even if the option supposed to restrict this possibility is disabled. As soon as possible, an attacker could use freshly hacked administrator account to upload freshly hacked account to the site and compromise the server.”]
Source: https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.html