Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network access to the demo flow (PR:N/AV:N/AC:L) allows arbitrary option writes; direct impact is integrity-only (I:H), with no direct confidentiality or availability loss.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manage_options capability to the backstage_customizer_user demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as default_role, leading to privilege escalation.
AnalysisAI
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad manage_options capability to its backstage_customizer_user demo role, so an attacker reaching the demo flow can change settings such as default_role and escalate to a privileged account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Backstage - Customizer Demo Access plugin (≤1.4.2) to be installed and its Customizer demo feature active and reachable, since the attack rides the `backstage_customizer_user` demo role that receives `manage_options`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated attack with high integrity impact and no confidentiality or availability impact - consistent with silently altering site configuration rather than reading data or causing downtime. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker browses to a WordPress site running Backstage with demo access enabled and starts a Customizer demo session, obtaining the `backstage_customizer_user` role that improperly holds `manage_options`. Using that capability, the attacker submits an option-update request to change `default_role` to `administrator` and enable open registration, then registers a new account that is automatically granted administrator privileges. … |
| Remediation | No vendor-released patch version is identified in the available data, so no fixed release can be cited with confidence - monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5bcf1f02-0946-4e96-a81b-00c7c48d64b3) and the plugin's WordPress.org page for a release above 1.4.2 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for the Pixelgrade Backstage - Customizer Demo Access plugin (versions ≤1.4.2) and disable or remove it immediately; if temporary retention is necessary, restrict access to admin pages via WAF rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42160
GHSA-xwxr-p855-gjc3