Skip to main content

Backstage Customizer Demo Access

1 CVEs product

Monthly

CVE-2026-9842 HIGH This Week

Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress Backstage Customizer Demo Access
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress Backstage Customizer Demo Access
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy