In this vulnerability you can change admin password if the registration enabled. It can be done by duplicating admin username. The vulnerability is related to MySQL Column Truncation Vulnerabilities.

If the attacker however tries (to register) the username ‘admin            x’ the application will search for it in the database and will not find it, because it is impossible to find a username with a length of 17 in a database field that has a 16 character limit. The application will accept the new username and insert it into the database. However the username column is to short for the full name and therefore it is truncated and ‘admin            ‘ is inserted into the database.

But this is not critical since the new password will be send to correct admin email.