By manipulating the User ID in the URL, users with low privilege can view the information of any users
Step 1: Login as user1
with author
privilege, see that he can only access the edit screen of himself. Click on edit button.
Step 2: See the userID in the URL, modify it to the userID of Admin
Step 3: Now user1
can view some extra information of admin
such as βUser Settingsβ, βAPI Keysβ