What are the two vulnerabilities (CVE-2016-8870 and CVE-2016-8869) in Joomla 3.4.4–3.6.3, and how do they work together?

CVE-2016-8870 allows an attacker to create a user account even when the website’s registration is disabled by using the `UsersControllerUser::register()` method, which lacks the registration-disabled check present in the standard `UsersControllerRegistration::register()` method. CVE-2016-8869 enables the attacker to assign privileged groups (like Super Users) to that new account. Combined, they allow registering a privileged user without needing the site’s registration to be enabled, as detailed in the Joomla 3.4.4-3.6.3 Account Creation & Privilege Escalation Test Record.