WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
https://github.com/WordPress/wordpress-develop/commit/2d677cd4b2e24d0b5f17a3a278c719051bbe8e35