Description
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as `default_role`, leading to privilege escalation.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Wed, 08 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as `default_role`, leading to privilege escalation. | |
| Title | Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabilities | |
| Weaknesses | CWE-269 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-08T04:30:49.525Z
Reserved: 2026-05-28T13:26:31.589Z
Link: CVE-2026-9842
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-269
Improper Privilege Management