What was the official patch for these vulnerabilities, and how does it prevent the exploit?

The official patch removed the vulnerable `UsersControllerUser::register()` method entirely. By eliminating this alternative registration path, attackers can no longer bypass the registration-disabled check or assign privileged groups via that controller. After upgrading to Joomla 3.6.4, the test POC shows no users are added and no activation emails are sent, indicating successful defense. For more on privilege escalation patterns, see related analysis on AlwaysInstallElevated and RID hijacking.