Administrative User Creation Vulnerability in LA-Studio Element Kit for Elementor Plugin

CVE-2026-0920

What is CVE-2026-0920?

CVE-2026-0920 is a serious vulnerability associated with the LA-Studio Element Kit, a plugin designed for use with WordPress, specifically for building and enhancing web elements with Elementor. This vulnerability affects all versions up to and including 1.5.6.3 and arises from the ajax_register_handle function, which fails to adequately restrict user role registrations. As a result, unauthenticated attackers can exploit this flaw by providing the lakit_bkrole parameter during user registration, thereby gaining unauthorized administrative access to the site. The ability to create administrative users presents a critical risk, as it allows attackers full control over the WordPress environment, potentially leading to the modification or theft of sensitive data, installation of malicious code, or complete takeover of the site.

Potential impact of CVE-2026-0920

1. Unauthorized Access: Attackers can gain administrative privileges, granting them the ability to manipulate site configurations, access sensitive information, and perform any action that a legitimate administrator could, significantly compromising site integrity.

2. Data Breach Risks: With administrative access, attackers can access, alter, or exfiltrate personal and sensitive data stored on the site, which could lead to severe privacy violations and data protection compliance issues.

3. Malware Deployment: The vulnerability allows attackers to implement malware or backdoors into the site, which can be used to launch further attacks, spread malware to users, or even utilize the compromised site as part of a broader botnet strategy.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References