The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privesc
www.securityfocus.com/bid/93876
www.securitytracker.com/id/1037107
www.securitytracker.com/id/1037108
blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.html
developer.joomla.org/security-centre/659-20161001-core-account-creation.html
github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcf
medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4r
www.exploit-db.com/exploits/40637/