The plugin does not have authorisation in the multiple_roles_update function, allowing any authenticated users, such as subscriber to update their role and set themselves as admin for example, when the ‘Enable role management’ setting is enabled.
CPE | Name | Operator | Version |
---|---|---|---|
wp-data-access | lt | 5.3.8 |