‘edit_user’ Capability Privilege Escalation

A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.