Description
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Activity Log Security Bypass (3.3.1.1)
WordPress Plugin SP Project & Document Manager Multiple SQL Injection Vulnerabilities (2.4.3)
WordPress Plugin WP Real Estate Unspecified Vulnerability (2.0)
Oracle JRE CVE-2013-2457 Vulnerability (CVE-2013-2457)
Squid Improper Input Validation Vulnerability (CVE-2016-2390)