The User API available in velocity scripts expose setDisabledStatus without any right protection, it means a user with only script right can use it to enable or disable users.
- Create a user with edit and script rights
- With that user, create a page with this content:
- Save and view the page
- Nothing should happen
- Nothing is displayed and when admin user tries to login he's disabled