PHP-Nuke 7.4 has a cross site scripting flaw that allows an attacker the ability to delete any admin account. It is an old bug that has a patch that can be bypassed if the data is sent via a POST instead of a GET.
51573d83c3c65065bed02550784dc40a4c140a5fac13c9ead8bf3bd94ee4981f