PBLang contains a flaw that may allow a malicious user to delete arbitrary personal messages. The issue is triggered when an attacker sends a specially crafted URL to the server running PBLang with the personal message id and user name of an arbitrary message to delete passed in as parameters to the delpm.php script. It is possible that the flaw may allow a malicious user to delete arbitrary messages resulting in a loss of integrity.
Upgrade to version 4.66z or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.