What three conditions must be simultaneously met for an attacker to gain full administrator access via these vulnerabilities?

The attacker requires: (1) Joomla version between 3.4.4 and 3.6.3, (2) the email sending function enabled in the backend (with SMTP configured), and (3) user registration enabled in the backend. Only when all three are true can the attacker create and activate a privileged account. The test record shows that upgrading to 3.6.4 effectively blocks the exploit, and if either email or registration is off, the account never becomes active.