The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a users identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
The product requires authentication, but the product has an alternate path or channel that does not require authentication.