A critical backdoor vulnerability has been discovered in the LA-Studio Element Kit for Elementor, a popular WordPress plugin used by more than 20,000 active sites.
This security flaw allows attackers to create administrator accounts without any authentication, putting thousands of websites at risk of complete takeover.
The vulnerability, tracked as CVE-2026-0920, carries a CVSS score of 9.8, marking it as a critical threat that requires immediate action from site administrators.
The backdoor was introduced by a former employee who left the company in late December 2025. According to LA-Studio, the developer modified the plugin code shortly before their employment ended, inserting hidden functionality that allows unauthorized administrator account creation.
This incident highlights the growing concern around insider threats and the importance of code review processes during employee transitions.
Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham discovered the vulnerability on January 12, 2026, and reported it through the Wordfence Bug Bounty Program.
Wordfence analysts identified the flaw within the plugin’s user registration system, specifically in the ajax_register_handle function. The vulnerability was patched quickly, with version 1.6.0 released on January 14, 2026, just two days after the initial report.
The vulnerability exists in all versions up to and including 1.5.6.3 of the LA-Studio Element Kit for Elementor plugin. Attackers can exploit this flaw by sending a specially crafted registration request containing the lakit_bkrole parameter.
Once successful, they gain full administrative access to the targeted WordPress site, allowing them to upload malicious files, modify content, redirect visitors to harmful websites, or inject spam content.
Vulnerability Details:-
| Attribute | Details |
|---|---|
| Vulnerability Name | Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation |
| CVE ID | CVE-2026-0920 |
| CVSS Score | 9.8 (Critical) |
| Affected Plugin | LA-Studio Element Kit for Elementor |
| Plugin Slug | lastudio-element-kit |
| Affected Versions | ≤ 1.5.6.3 |
| Patched Version | 1.6.0 |
| Active Installations | 20,000+ |
| Attack Vector | lakit_bkrole parameter in registration request |
| Vulnerability Type | Backdoor / Administrative User Creation |
| Discoverers | Athiwat Tiprasaharn, Itthidej Aramsri, Waris Damkham |
| Bounty Amount | $975.00 |
| Discovery Date | January 12, 2026 |
| Patch Release Date | January 14, 2026 |
| Wordfence Protection | January 13, 2026 (Premium), February 12, 2026 (Free) |
Wordfence researchers noted that the backdoor code was deliberately obfuscated to avoid detection during security reviews. This evasion technique made the malicious functionality harder to spot, allowing it to remain hidden within the plugin’s codebase.
The obfuscated code specifically targeted the user registration process, adding administrator capabilities to newly created accounts when the hidden parameter was present.
The Obfuscated Backdoor Mechanism
The backdoor operates through a carefully hidden modification within the plugin’s registration handling system.
When examining the code, Wordfence analysts found that the ajax_register_handle function contained obfuscated logic that checked for the presence of the lakit_bkrole parameter during user registration.
If this parameter was detected, the function would trigger additional filters that assigned administrator privileges to the newly created account.
The obfuscation included techniques like string manipulation and indirect function calls, making the malicious code blend seamlessly with legitimate plugin functionality.
This clever disguise allowed the backdoor to bypass standard security audits and remain undetected until researchers specifically investigated suspicious patterns in the registration workflow.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
