A vulnerability for the popular AMP for WP plugin allows any registered user to escalate their privileges to gain administrative access to the site. The vulnerability was caused by the plugin not properly utilizing WordPress nonces and the current_user_can() function in various administrative functions. The vulnerabilities have been fixed in version 0.9.97.20, which was released two weeks ago and is available through WordPress’ automatic update feature. As many publishers, though, do not utilize this feature, they would remain unprotected.
Source: https://www.bleepingcomputer.com/news/security/vulnerability-in-amp-for-wp-plugin-allowed-admin-access-to-wordpress/