CVE-2014-3849 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2014-3849

CWE

https://cwe.mitre.org/data/definitions/264.html

The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser parameter.

Affected Software

Name	Vendor	Start Version	End Version
Imember360	Imember360	3.8.012 (including)	3.8.012 (including)
Imember360	Imember360	3.8.013 (including)	3.8.013 (including)
Imember360	Imember360	3.8.014 (including)	3.8.014 (including)
Imember360	Imember360	3.9.000 (including)	3.9.000 (including)
Imember360	Imember360	3.9.001 (including)	3.9.001 (including)

References

http://packetstormsecurity.com/files/126324/WordPress-iMember360is-3.9.001-XSS-Disclosure-Code-Execution.html
http://seclists.org/fulldisclosure/2014/Apr/265
http://www.exploit-db.com/exploits/33076
http://www.osvdb.org/106300