Access Restriction Flaw in iMember360 Plugin for WordPress
CVE-2014-3849

Currently unrated

Key Information:

Vendor: Wordpress
Status: Imember360
Vendor: CVE Published:; 23 May 2014

Summary

The iMember360 plugin versions 3.8.012 to 3.9.001 for WordPress is susceptible to an access control vulnerability that enables remote attackers to delete arbitrary users. This is achieved by submitting a specially crafted request containing both a user name in the Email parameter and an API key in the i4w_clearuser parameter, thereby bypassing the intended access restrictions. Users of this plugin should ensure immediate updates and monitor for potential exploitation.

References

http://packetstormsecurity.com/files/126324/WordPress-iMe...

x_refsource_MISC

http://www.exploit-db.com/exploits/33076

exploitx_refsource_EXPLOIT-DB

http://www.osvdb.org/106300

vdb-entryx_refsource_OSVDB

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
May 23, 2014