Description:
C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege.
Therefore an attacker could simply change the value for "user_com=" parameter to gain admin privilege.
to
http://Example_Target/info.php?cookie=yes&user_com=biggest
Misconfiguration
==========================================
There are some default accounts for C.P.Sub <= v4.5 that allows an attacker
to access back-end management page. It could lead to further attack.