The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5
https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/