Two days ago Joomla! security team released a patch that fixes two critical core vulnerabilities. The officially announced CVE vulnerability IDs are: CVE-2016-8870 and CVE-2016-8869.
CVE-2016-8870 enables exploiting user registration even when this option has been disabled.
CVE-2016-8869 is even more severe since it allows unauthorized third parties to register administrator accounts.
The combination of the two vulnerabilities may fully compromise the website which automatically classifies them as the most critical security flaws.
The vulnerabilities are affecting a wide range of Joomla! versions: starting from 3.4.4 to 3.6.3.
However, we strongly recommend that all of the second most popular CMS users update to the latest version as soon as possible!