An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. Even with the maximum restrictions for a temporary administrator account, several attack vectors are possible against the targeted website, the simplest and fastest is raising system privileges to the administrator level (w/o restrictions) and taking full control of the attacked website.
Created a temporary admin account via the plugin (/wp-admin/users.php?page=controlled_admin_access), with limited access and open the below URLs which should not be accessible
### -- [ PoC #1 | Improper Access Control | Customize: ]
[!] https://example.com/wp-admin/customize.php
### -- [ PoC #2 | Improper Access Control | All Settings: ]
[!] https://example.com/wp-admin/options.php