Backstage Customizer Demo Access
Monthly
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.