Joomla! has revealed it's patched twin critical flaws allowing attackers to bypass rules and create elevated privilege accounts.
Project staff warned of the looming patch this week asking administrators to prepare for the patch and apply it immediately.
The Joomla! security strike team said at the time only that a hole impacted the content management system core and was a "very important" fix.
Joomla! has been downloaded more than 75 million times and runs on big ticket sites including McDonalds, Ikea, General Electric, Linux.com, and major news sites.
WordPress leads the open-source content management pack with some 140 million downloads.
Versions 3.4.4 through to 3.6.3 are affected.
"We strongly recommend that you update your sites immediately," Joomla! security staff say.
Those sites that do not apply the patches should expect to be targeted by hackers who have reverse engineered the fixes to learn how to create the unathorised privleged accounts.
Joomla! took less than a week to patch the flaws after it was first reported by separate researchers.
Joomla!'s patch run also squashes a two-factor authentication bug that prevented some admnistrators from logging into their CMS installations.