Disqus / WordPress 3.5.1 vulnerability?

Someone who assisted me transferring my wordpress site at a new server disabled the Disqus plugin.

A few hours later, I noticed one of my posts was renamed to spam about a brand of boots.

I quickly investigated and noticed there were 33 administrators on wordpress.

I checked Settings –> General.

Membership setting was set to X anyone can register.
New User Default Role was set to “Administrator”.

Basically any new users are admins by default upon registration.

I told the guy and he thinks when he disabled Disqus, for some reason the “subscriber” setting was ignored by WordPress, and instead “Admin” option kicked in.

That sounded like a vulnerability bug.