PT-2026-56315 · Pixelgrade · Backstage – Customizer Demo Access

Nabil Irawan

·

Publicado

2026-07-08

·

Atualizado

2026-07-08

·

CVE-2026-9842

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manage options capability to the backstage customizer user demo role, which is more permissive than necessary for Customizer-only demo access. This makes it possible for unauthenticated attackers to navigate beyond the Customizer and update arbitrary WordPress options such as default role, leading to privilege escalation.

Correção

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-9842

Produtos afetados

Backstage – Customizer Demo Access