Access Restriction Flaw in iMember360 Plugin for WordPress
CVE-2014-3849

Currently unrated

Key Information:

Vendor

Wordpress
Status
Imember360
Vendor
CVE Published:
23 May 2014

What is CVE-2014-3849?

The iMember360 plugin versions 3.8.012 to 3.9.001 for WordPress is susceptible to an access control vulnerability that enables remote attackers to delete arbitrary users. This is achieved by submitting a specially crafted request containing both a user name in the Email parameter and an API key in the i4w_clearuser parameter, thereby bypassing the intended access restrictions. Users of this plugin should ensure immediate updates and monitor for potential exploitation.

References

http://packetstormsecurity.com/files/126324/WordPress-iMe...
x_refsource_MISC
http://www.exploit-db.com/exploits/33076
exploitx_refsource_EXPLOIT-DB
http://www.osvdb.org/106300
vdb-entryx_refsource_OSVDB

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.
CVE-2014-3849 : Access Restriction Flaw in iMember360 Plugin for WordPress