If you are running User Role Editor plugin version 4.24 or older, immediately upgrade to the latest version 4.25
In version 4.24 and older the vulnerability allows any registered user to gain administrator access.
Please see more details about the vulnerability which was exposed by wordfence, a popular security plugin for wordpress.
The plugin used a function to check if a certain user has access to edit another user. But this function was not being used properly which created the vulnerability.
The author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID.