January 23, 2026 By Tushar Subhra Dutta
A critical backdoor vulnerability has been discovered in the LA-Studio Element Kit for Elementor, a popular WordPress plugin used by more than 20,000 active sites.
This security flaw allows attackers to create administrator accounts without any authentication, putting thousands of websites at risk of complete takeover.
The vulnerability, tracked as CVE-2026-0920, carries a CVSS score of 9.8, marking it as a critical threat that requires immediate action from site administrators.
The backdoor was introduced by a former employee who left the company in late December 2025. According to LA-Studio, the developer modified the plugin code shortly before their employment ended, inserting hidden functionality that allows unauthorized administrator account creation.
This incident highlights the growing concern around insider threats and the importance of code review processes during employee transitions.
Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham discovered the vulnerability on January 12, 2026, and reported it through the Wordfence Bug Bounty Program.
Wordfence analysts identified the flaw within the plugin’s user registration system, specifically in the ajax_register_handle function. The vulnerability was patched quickly, with version 1.6.0 released on January 14, 2026, just two days after the initial report.
The vulnerability exists in all versions up to and including 1.5.6.3 of the LA-Studio Element Kit for Elementor plugin. Attackers can exploit this flaw by sending a specially crafted registration request containing the lakit_bkrole parameter.
Once successful, they gain full administrative access to the targeted WordPress site, allowing them to upload malicious files, modify content, redirect visitors to harmful websites, or inject spam content.
Vulnerability Details:-
| Attribute | Details |
|---|---|
| Vulnerability Name | Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation |
| CVE ID | CVE-2026-0920 |
| CVSS Score | 9.8 (Critical) |
| Affected Plugin | LA-Studio Element Kit for Elementor |
| Plugin Slug | lastudio-element-kit |
| Affected Versions | ≤ 1.5.6.3 |
| Patched Version | 1.6.0 |
| Active Installations | 20,000+ |
| Attack Vector | lakit_bkrole parameter in registration request |
| Vulnerability Type | Backdoor / Administrative User Creation |
| Discoverers | Athiwat Tiprasaharn, Itthidej Aramsri, Waris Damkham |
| Bounty Amount | $975.00 |
| Discovery Date | January 12, 2026 |
| Patch Release Date | January 14, 2026 |
| Wordfence Protection | January 13, 2026 (Premium), February 12, 2026 (Free) |
Wordfence researchers noted that the backdoor code was deliberately obfuscated to avoid detection during security reviews. This evasion technique made the malicious functionality harder to spot, allowing it to remain hidden within the plugin’s codebase.