IDevSpot NexieAffiliate 1.9 and previous versions allows remote malicious users to delete arbitrary affiliates via a modified id parameter to delete.php.
idevspot nixieaffiliate