Thread:Extension talk:UserAdmin/PurgeUser usernames not SQL escaped!

The purge user function does not sql escape usernames. This is a dangerous security hole!