delete.php in Max.Blog 1.0.6 does not properly restrict access, which allows remote malicious users to delete arbitrary blog posts via a direct request.
mzbservices max.blog 1.0.6