Skip to main content

Backstage Plugin CVE-2026-9842

| EUVDEUVD-2026-42160 HIGH
Improper Privilege Management (CWE-269)
2026-07-08 Wordfence GHSA-xwxr-p855-gjc3
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network access to the demo flow (PR:N/AV:N/AC:L) allows arbitrary option writes; direct impact is integrity-only (I:H), with no direct confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 05:20 vuln.today
CVE Published
Jul 08, 2026 - 04:30 cve.org
HIGH 7.5

DescriptionCVE.org

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manage_options capability to the backstage_customizer_user demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as default_role, leading to privilege escalation.

AnalysisAI

Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad manage_options capability to its backstage_customizer_user demo role, so an attacker reaching the demo flow can change settings such as default_role and escalate to a privileged account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed demo Customizer endpoint
Delivery
Obtain backstage_customizer_user role with manage_options
Exploit
Send option-update request for default_role
Execution
Set default role to administrator and enable registration
Persist
Register auto-privileged admin account
Impact
Gain administrative control of site

Vulnerability AssessmentAI

Exploitation Exploitation requires the Backstage - Customizer Demo Access plugin (≤1.4.2) to be installed and its Customizer demo feature active and reachable, since the attack rides the `backstage_customizer_user` demo role that receives `manage_options`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated attack with high integrity impact and no confidentiality or availability impact - consistent with silently altering site configuration rather than reading data or causing downtime. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker browses to a WordPress site running Backstage with demo access enabled and starts a Customizer demo session, obtaining the `backstage_customizer_user` role that improperly holds `manage_options`. Using that capability, the attacker submits an option-update request to change `default_role` to `administrator` and enable open registration, then registers a new account that is automatically granted administrator privileges. …
Remediation No vendor-released patch version is identified in the available data, so no fixed release can be cited with confidence - monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5bcf1f02-0946-4e96-a81b-00c7c48d64b3) and the plugin's WordPress.org page for a release above 1.4.2 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for the Pixelgrade Backstage - Customizer Demo Access plugin (versions ≤1.4.2) and disable or remove it immediately; if temporary retention is necessary, restrict access to admin pages via WAF rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy