CVE-2026-9842 PUBLISHED

Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabilities

Assigner: Wordfence
Reserved: 28.05.2026 Published: 08.07.2026 Updated: 08.07.2026

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manage_options capability to the backstage_customizer_user demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as default_role, leading to privilege escalation.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 7.5

Product Status

Vendor pixelgrade
Product Backstage – Customizer Demo Access
Versions Default: unaffected
  • affected from 0 to 1.4.2 (incl.)

Credits

  • Nabil Irawan finder

References

Problem Types

  • CWE-269 Improper Privilege Management CWE