Thanks for letting me know about this, I was really surprised that I was able to produce this problem.
The solution is quite simple, you can fix this immediately in your copy by editing the Web/Components/mojoRoleProvider.cs, comment out line 291
//roleCookie.Expires = DateTime.Now.AddMinutes(20);
the problem is that setting the Expires made this not a session cookie but a persistent cookie with a 20 minute timeout.
So, the only way this could be exploited is if the admin user closed the browser without signing out and another user signs in from the same machine within 20 minutes, then the user would have escalated permissions.
I have fixed this in my copy, it will be fixed in the coming release.