Unauthorized Account Creation in LA-Studio Element Kit for Elementor Plugin
CVE-2026-12276

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
10 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-12276?

The LA-Studio Element Kit for Elementor WordPress plugin, prior to version 1.6.1, suffers from a security flaw where it permits unauthenticated users to register accounts even when user registration is disabled across the WordPress site. This vulnerability arises from the plugin's failure to verify the user registration settings before executing its AJAX actions, posing a risk by potentially allowing unauthorized access to the site.

Affected Version(s)

LA-Studio Element Kit for Elementor 0 < 1.6.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mike Gozdiskowski
WPScan
.