The iMember360 plugin 3.8.012 up to and including 3.9.001 for WordPress does not properly restrict access, which allows remote malicious users to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser parameter.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
imember360 imember360 3.9.001 |
||
imember360 imember360 3.9.000 |
||
imember360 imember360 3.8.013 |
||
imember360 imember360 3.8.014 |
||
imember360 imember360 3.8.012 |