CVE-2016-8869

CRITICAL EXPLOITED IN THE WILD LAB

Joomla! <3.6.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-8869 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including Xiphos Research Ltd, rustyJ4ck, cved-sources, including a Metasploit module auxiliary/admin/http/joomla_registration_privesc.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in Joomla's com_users component, bypassing whitelisting by using .pht extensions and <?= tags to achieve remote code execution. It automates user creation, admin login, and payload upload.

Description

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

Exploits (5)

exploitdb WORKING POC
by Xiphos Research Ltd · textwebappsphp
https://www.exploit-db.com/exploits/40637

This exploit leverages a file upload vulnerability in Joomla's com_users component, bypassing whitelisting by using .pht extensions and <?= tags to achieve remote code execution. It automates user creation, admin login, and payload upload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Joomla (unspecified version, likely 3.x)
Auth required
Prerequisites: Joomla installation with vulnerable com_users component · Network access to target · Valid credentials or registration capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by rustyJ4ck · poc
https://github.com/rustyJ4ck/JoomlaCVE20168869

This is a functional exploit for Joomla 3.4.4 to 3.6.4 that chains authentication bypass (CVE-2016-8869) with file upload restrictions bypass (CVE-2016-8870) to achieve remote code execution via a .pht web shell upload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Joomla 3.4.4 - 3.6.4
No auth needed
Prerequisites: User registration enabled · Administrator account creation via exploit · File upload functionality accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2016-8869

This repository provides a Dockerized vulnerable Joomla 3.5 environment configured to exploit CVE-2016-8869, a SQL injection vulnerability. The Dockerfile modifies the Joomla database to enable the vulnerable state, allowing for testing of the exploit.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Joomla 3.5
No auth needed
Prerequisites: Docker environment · Joomla 3.5 installation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by zugetor · poc
https://github.com/zugetor/Joomla-3.4.4-3.6.4_CVE-2016-8869_and_CVE-2016-8870

This Python script exploits CVE-2016-8869 and CVE-2016-8870 in Joomla versions 3.4.4 to 3.6.4 by creating an administrator account via a CSRF token bypass and then leveraging misconfigured file upload settings to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Joomla 3.4.4 to 3.6.4
No auth needed
Prerequisites: Target Joomla site with vulnerable version · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/joomla_registration_privesc.rb

This Metasploit module exploits CVE-2016-8869 and CVE-2016-8870 to create an arbitrary Joomla user account with administrative privileges by leveraging a CSRF token bypass and improper access control in Joomla versions 3.4.4 through 3.6.3.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Joomla 3.4.4 to 3.6.3
No auth needed
Prerequisites: Joomla instance accessible via HTTP · Email server configured in Joomla (optional for activation)
devstral-2 · analyzed Apr 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93883
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40637/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037108

Scores

CVSS v3 9.8
EPSS 0.9200
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull medicean/vulapps:base_joomla_3.5
+2 more repos

Details

VulnCheck KEV 2016-10-28
InTheWild.io 2021-04-12
CWE
CWE-20
Status published
Products (1)
joomla/joomla\! < 3.6.3
Published Nov 04, 2016
Tracked Since Feb 18, 2026