A vulnerability exists in WordPress plugins that allows shop managers to delete certain files on the server, leading to a potential takeover of administrator accounts. The issue arises from an unpatched design flaw in how WordPress handles privileges, which can be exploited by deleting specific plugin files or using meta capabilities to bypass security checks. Over 4 million WooCommerce shops are affected, and the vulnerability was reported on Hackerone in August 2018, with a patch released in October of that year. The exploit works because user roles are stored in the database even if the plugin is disabled, allowing shop managers with access to edit customer accounts to take over administrator accounts by updating their passwords or deleting critical files such as `woocommerce.php`.