The two critical flaws, both exist in the Joomla Core functionalities, include Account Creation Vulnerability (CVE-2016-8870) and Elevated Privileges flaw (CVE-2016-8869) that, if unpatched, could put millions of websites that run on Joomla at risk.
The account creation bug could allow any user to register on a website, even if the registration process has been disabled, while the elevated privileges flaw could enable users to perform advanced functions on a registered site that ordinary users are not authorized to do.
Both the critical vulnerabilities affect Joomla version 3.4.4 through 3.6.3. The update also includes a bug fix for Two-Factor Authentication.
Millions of websites used in e-commerce and other sensitive industries used Joomla, including big brand services such as McDonalds, Linux.com, General Electric, and major news sites.
So, Joomla administrators are recommended to quickly update their websites to the updated version 3.6.4 of the CMS immediately.