Joomla patched a vulnerability (CVE-2016-9838) which if exploited could allow an attacker to reset login credentials and take over sites.

The bug affects all Joomla CMS versions released over the past five years, 1.6.0 through 3.6.4, and was the result of the incorrect use of unfiltered data stored to the session on a form validation failure which allows for existing user accounts to be modified, according to the security advisory.

The vulnerability is categorized as having a “high severity” and users are instructed to upgrade to version 3.6.5 or sites could be seized and used as part of SEO spam or DDoS botnets, researchers at Bleeping Computers warned.

Researchers warned that it is highly likely that attackers will weaponize the flaw and attempt to highjack as many sites as possible before admins have a chance to update them.