Privilege Escalation in Backstage Customizer Demo Access Plugin for WordPress
CVE-2026-9842
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2026-9842?
The Backstage - Customizer Demo Access plugin for WordPress contains a vulnerability that allows unauthorized users to gain elevated privileges. This occurs because the plugin grants the manage_options capability to the demo role backstage_customizer_user, which should be limited to Customizer access. As a result, attackers can exploit this oversight, enabling them to access and modify critical WordPress options like default_role, effectively leading to potential control over the WordPress site.
Affected Version(s)
Backstage β Customizer Demo Access 0 <= 1.4.2