A critical backdoor vulnerability discovered in the LA-Studio Element Kit for the Elementor plugin poses an immediate threat to more than 20,000 WordPress installations.
The vulnerability, tracked as CVE-2026-0920 with a CVSS severity rating of 9.8 (Critical), enables unauthenticated attackers to create administrator accounts and achieve complete site compromise.
The function fails to properly restrict user role assignments during registration, allowing attackers to exploit the lakit_bkrole parameter to grant themselves administrative privileges. The malicious code was deliberately obfuscated, suggesting intentional concealment.
Affected versions span from the plugin’s inception through version 1.5.6.3. Once an attacker obtains administrative access, they can upload malicious plugin and theme files, modify website content, inject spam, or redirect users to phishing sites.
The attack requires no authentication, making it exceptionally dangerous for unpatched installations.
Insider Threat Attribution
The discovery process revealed a troubling cause: a former employee of LA-Studio deliberately injected the backdoor code before their employment terminated at the end of December 2025.
The vulnerability resides in the ajax_register_handle function within the LA-Studio_Kit_Integration class.
This insider threat highlights critical gaps in code review processes, developer monitoring, and employee offboarding procedures. Organizations must implement rigorous access controls and code auditing before terminating developer accounts.
The vulnerability was responsibly reported through the Wordfence Bug Bounty Program on January 12, 2026.
Wordfence validated the exploit within 24 hours and immediately notified LA-Studio through their Vulnerability Management Portal.
The vendor demonstrated commendable responsiveness, acknowledging the report and releasing patched version 1.6.0 on January 14, 2026 a turnaround of just one day.
Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham earned a $975 bounty for this discovery, demonstrating the value of coordinated vulnerability research.
Protection and Patching Strategy
Wordfence Premium, Care, and Response users received firewall protection on January 13, 2026. Free Wordfence users will gain the same protection on February 12, 2026, providing a 30-day advantage for paying customers.
This tiered protection model incentivizes premium subscriptions while eventually covering the broader user base.
All WordPress site administrators using LA-Studio Element Kit for Elementor must update immediately to version 1.6.0.
The critical nature of this vulnerability combined with its ease of exploitation and potential for complete site takeover makes prompt patching essential. Administrators should verify their plugin versions and apply updates without delay.
This incident underscores the evolving threat landscape in WordPress security. Insider threats targeting popular plugins can impact tens of thousands of sites simultaneously.
Organizations must implement layered security controls including code review processes, developer monitoring, access revocation procedures, and regular security audits.
WordPress site owners are urged to share this advisory with peers using the affected plugin and implement comprehensive vulnerability monitoring through security plugins or managed security services.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.