Look at http://www.nsa.gov/snac and read the Switching and Routing STIGs. They cover the vulnerabilities and countermeasures for jumping over VLANs on a switch.
Essentially, you would send a packet(s) with two VLAN tags on it. The first would be the VLAN you’re on (like VLAN 10) and the second would be the VLAN you want to get to (like 20). When the switch strips off the first vlan tag, you can transverse over to the second VLAN inside the switch.
I have never tested this in the lab, but it makes sense. However, someone would have to know that it was setup that way or do a lot of testing to find out it’s configured that way. However, there is a proof of concept with VLAN hopping. The STIGs will tell you how to reduce the ability of hopping over the VLAN as well as other measures to securing the switch.
Of course, to eliminate the entire problem, buy and use another switch and don’t tie it to your internal VLAN architecture. However, there might be a compelling reason to do such outside of cost.
Hope this helps,