Home

Description

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as `default_role`, leading to privilege escalation.

PUBLISHED Reserved 2026-05-28 | Published 2026-07-08 | Updated 2026-07-08 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-23:Discovered
2026-07-07:Disclosed

Credits

Nabil Irawan finder

References

www.wordfence.com/...-0946-4e96-a81b-00c7c48d64b3?source=cve

plugins.trac.wordpress.org/...2/includes/class-Backstage.php

plugins.trac.wordpress.org/...2/includes/class-Backstage.php

cve.org (CVE-2026-9842)

nvd.nist.gov (CVE-2026-9842)

Download JSON