There is functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. **Partially unpatched because they added CSRF protection that technically blocks low-level users from using the endpoint, however, no capability check was added.
The PoC will be displayed once the issue has been remediated