Security Company has reported the vulnerability to eBay, who own the Magento project and hence patched it. The vulnerability allows the attacker to steal store credits and gift coupons, change the price of products and also can manipulate a number of other things in more than 20,000 web stores. To exploit the flaw, an attacker only needed to modify the HOST header to the. address of the target account in the GET request, and all other facilities for adding a new user in targeted store. “All these requests however “impersonate” the store owner account so action are logged as this user and does not look so suspicious.”
Source: https://thehackernews.com/2014/02/Magento-vulnerability-Administrative-User_13.html