CVE-2016-8870

HIGH EXPLOITED LAB

Joomla! < 3.6.3 - Unauthenticated User Account Creation via UsersModelRegistration

Title source: llm

Exploitation Summary

CVE-2016-8870 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Xiphos Research Ltd, DaDecky, cved-sources, including a Metasploit module auxiliary/admin/http/joomla_registration_privesc.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in Joomla's com_users component, bypassing whitelisting by using .pht extensions and <?= tags to achieve remote code execution. It automates user creation, admin login, and payload upload.

Description

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

Exploits (4)

exploitdb WORKING POC

by Xiphos Research Ltd · textwebappsphp

https://www.exploit-db.com/exploits/40637

View Code ZIP pw:eip

This exploit leverages a file upload vulnerability in Joomla's com_users component, bypassing whitelisting by using .pht extensions and <?= tags to achieve remote code execution. It automates user creation, admin login, and payload upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Joomla (unspecified version, likely 3.x)

Auth required

Prerequisites: Joomla installation with vulnerable com_users component · Network access to target · Valid credentials or registration capability

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by DaDecky · pythonpoc

https://github.com/DaDecky/kpl-cve-vuln-pocs/tree/main/CVE-2016-8870

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-8870, an unauthenticated account creation vulnerability in Joomla. The exploit leverages the legacy user controller task `user.register` to bypass the `allowUserRegistration=0` setting in Joomla versions 3.4.4 through 3.6.3.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Joomla 3.4.4 through 3.6.3

No auth needed

Prerequisites: Joomla installation with registration disabled · Access to the Joomla registration endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 02, 2026 Full analysis →

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2016-8870

View Code ZIP pw:eip

This repository provides a Dockerized environment for CVE-2016-8870, a SQL injection vulnerability in Joomla 3.5. The Dockerfile sets up a vulnerable Joomla instance with modified database entries to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Joomla 3.5

No auth needed

Prerequisites: Docker environment · Joomla 3.5 installation

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/joomla_registration_privesc.rb

View Code ZIP pw:eip

This Metasploit module exploits Joomla versions 3.4.4 through 3.6.3 to create an arbitrary administrative account via privilege escalation and account creation vulnerabilities (CVE-2016-8869 and CVE-2016-8870). It automates the process of user registration with elevated privileges by bypassing authentication checks.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Joomla 3.4.4 to 3.6.3

No auth needed

Prerequisites: Target Joomla instance accessible via HTTP · Email server configured in Joomla (optional for activation)

MITRE ATT&CK