I use McAffee Secure for my PCI scan. My site using Amember 4.27 just failed a scan. Here is the detail of the problem. In the login page, if a hacker specifies amember_redirect_URL, then after the user enters his username/password, he is transported to the URL specified, even if this URL is in a completely different domain name. I have confirmed that this vulnerability is real: Protocol http Port 80 Read Timeout 10000 Method POST Edit Demo Path /login Headers Referer=http%3A%2F%2Fsubscriptions.print-science.com%2Fmember%2Findex Content-Type=application%2Fx-www-form-urlencoded Body amember_login=0 amember_pass=0 login_attempt_id=1342839155 amember_redirect_url=http://www.mcafeesecure.com/