The /1/api/ulisting-user/role/save REST route did not perform capability and CSRF checks, allowing unauthenticated users to remove and add roles, as well as add capabilities to the blog.
2021-01-28 (about 2 years ago)
2021-01-28 (about 2 years ago)
2021-01-29 (about 2 years ago)