The popular User Role Editor plugin allows WordPress site owners to manage user roles and privileges. In the new version 4.25, the plugin developer has fixed a critical vulnerability.
A vulnerability in User Role Editor versions below 4.61 allows attackers to gain administrator rights. At the same time, the attacker needs to have an account on the site, so this problem is very serious for sites with open registration, and among more than 300,000 active installations, there are probably a lot of them.
According to Mark from the Wordfence team, the issue is due to incorrectly checking the privileges of the current user when updating their WordPress profile. The validation used is triggered for any user since any user can update their data by default.
Also see: Critical vulnerability in Jetpack plugin
The author of the plugin released an update a few days ago. If you use User Role Editor on your site, we recommend updating immediately, and after updating, recheck the list of administrators and other roles on the site, as well as access logs for suspicious activity. You can contact your hosting provider for help.