The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser parameter.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Imember360 | Imember360 | 3.9.000 | 3.9.000 |
Imember360 | Imember360 | 3.9.001 | 3.9.001 |
Imember360 | Imember360 | 3.8.014 | 3.8.014 |
Imember360 | Imember360 | 3.8.012 | 3.8.012 |
Imember360 | Imember360 | 3.8.013 | 3.8.013 |