User Rights Access Manager < 1.0.4 - Improper Access Controls
The plugin did not properly restrict access to some paths, still allowing a restricted user to access them, and edit the Blog Options, create/edit posts and so on for example
Proof of Concept
To reproduce it, install the plugin, create a new admin user and take all his privileges using the mentioned plugin (block all his access).
Result: You'll still be a able to access those paths.
A fully restricted Admin Class user still has access to the following paths:
v < 1.0.3
Comments > Approve / Unapprove
Comments > Reply
Comments > Spam
Comments > Trash / Delete Permanently
v <= 1.0.3
v < 1.0.4