Two critical account creation vulnerabilities have been addressed on Tuesday in the Joomla content management system (CMS) with the release of version 3.6.4.

One of the flaws, identified as CVE-2016-8870, allows an attacker to register on a website even if registration has been disabled. The security hole, affecting the Joomla core in versions 3.4.4 through 3.6.3, is caused by inadequate checks. The issue was reported to Joomla developers on October 18 by Demis Palma.