A really dangerous security flaw

Warning! Dangerous plugin, allowing anyone to register as an admin on your website!

Like thousands of people, I had installed the “WP User Avatar” plugin for a quick and easy customization of user avatars on one of my blogs (given than in 2021, by default, WordPress STILL does NOT offer anything better than its “Gravatar”).
Recently, “WP User Avatar” has become “ProfilePress”: a plugin whose features might be interesting for some users, but which certainly transforms the initial plugin into a white elephant, for all the bloggers who just wanted an avatar customization system.
I had planned to replace this plugin soon with a more basic one…

Last Thursday, I received an email telling me that a user has registered on my site. I thought it was a simple subscriber, although I thought I had disabled user registration in the general settings of my website. When I logged into my backoffice, I discovered that the registration on my site was indeed disabled, however a new account appeared in the list of users. And beware: it was not a simple subscriber, but an administrator! ProfilePress (which I had version 3.1.2) allowed the creation of an admin account on my site. This security flaw is unacceptable!