Vendor
An authenticated attacker with Subscriber-level access or higher can exploit a missing authorization and meta key validation vulnerability in the WP Grid Builder plugin for WordPress (versions up to and including 2.3.3) by sending a crafted nested array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint, which allows them to update their own `wp_capabilities` user meta and effectively escalate their privileges to Administrator level.