CVE-2026-0920
📋 TL;DR
The LA-Studio Element Kit for Elementor WordPress plugin allows unauthenticated attackers to create administrator accounts by manipulating the registration process. This affects all versions up to 1.5.6.3. Any WordPress site using this vulnerable plugin is at risk of complete compromise.
💻 Affected Systems
- LA-Studio Element Kit for Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with administrator privileges, allowing data theft, defacement, malware injection, and further network penetration.
Likely Case
Attackers create administrator accounts to gain persistent access, install backdoors, steal sensitive data, and potentially compromise the entire WordPress installation.
If Mitigated
With proper monitoring and access controls, unauthorized admin creation would be detected and blocked before significant damage occurs.
🎯 Exploit Status
Simple HTTP POST request manipulation with the 'lakit_bkrole' parameter set to administrator role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.6.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit
Restart Required: No
Instructions:
1. Update the LA-Studio Element Kit plugin to version 1.5.6.4 or later via WordPress admin panel. 2. Verify the update completed successfully. 3. Check for any unauthorized administrator accounts and remove them.
🔧 Temporary Workarounds
Disable plugin registration
allTemporarily disable user registration functionality in the plugin settings if available.
Deactivate vulnerable plugin
allCompletely deactivate the LA-Studio Element Kit plugin until patched.
🧯 If You Can't Patch
- Implement web application firewall rules to block requests containing 'lakit_bkrole' parameter
- Enable strict user role assignment monitoring and alerting for new administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > LA-Studio Element Kit version. If version is 1.5.6.3 or lower, you are vulnerable.Check Version:
wp plugin get lastudio-element-kit --field=versionVerify Fix Applied:
After updating, verify plugin version is 1.5.6.4 or higher and test registration functionality with role manipulation attempts.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to registration endpoints with 'lakit_bkrole' parameter
- Unexpected administrator user creation events
- Failed login attempts from newly created admin accounts
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=lastudio_kit_register containing role parameters
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "lastudio_kit_register" AND post_data CONTAINS "lakit_bkrole")