GJ-tjeI got a message today from a friend of mine.
He reported that he could enter the admin and (de-)activate plugins! He could do this as a guest (!!) and as a subscriber.
I had a plugin, Role Manager, so I deactivated this, and he STILL got access to the admin!
He could go there by direct url (ie: http://domain.tld/wp-admin/plugins.php) or by the URL on the domain itself (ie: http://domain.tld and clicking on Admin and then on plugins)
I think this is a very hug security issue!
I suggest to make a better user rights system!
