iMember360 Plugin for WordPress contains a flaw that is triggered when setting the ‘i4w_dbinfo’ parameter. In versions prior to 3.9.001, a remote attacker can gain access to full database credentials (database name, username, password, and encoding). After version 3.9.001, an authenticated attacker must request an admin URL to gain access to this information.

iMember360 Plugin for WordPress contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the prorgram does not validate input to the ‘decrypt’ and ‘encrypt’ GET parameters before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_clearuser’ parameter is not properly sanitized. This may allow a remote attacker to delete users from the database.

iMember360 Plugin for WordPress contains a flaw that is triggered as input passed via the ‘i4w_trace’ parameter is not properly escaped. With a specially crafted request, an authenticated remote attacker can execute arbitrary code.