I got a message today from a friend of mine.
He reported that he could enter the admin and (de-)activate plugins! He could do this as a guest (!!) and as a subscriber.
I had a plugin, Role Manager, so I deactivated this, and he STILL got access to the admin!
I think this is a very hug security issue!
I suggest to make a better user rights system!