It seems as if there is no check to see if a request to admin/ajax/deluserajax.php has a valid session or not. This means that an anonymous user can remove other users and possibly verify himself using this API as long as he knows the uid. Especially considering that the uid is used in the frontend (when you are logged in) this doesn't seem very safe..
It seems as if there is no check to see if a request to admin/ajax/deluserajax.php has a valid session or not. This means that an anonymous user can remove other users and possibly verify himself using this API as long as he knows the uid. Especially considering that the uid is used in the frontend (when you are logged in) this doesn't seem very safe..