Key Takeaways
- A critical backdoor vulnerability (CVE-2026-0920) has been discovered in the LA-Studio Element Kit for Elementor WordPress plugin, used by over 20,000 active sites.
- The vulnerability allows attackers to create administrator accounts without authentication, putting thousands of websites at risk of complete takeover.
- The backdoor was introduced by a former employee who modified the plugin code before leaving the company, highlighting the importance of code review processes during employee transitions.
- The vulnerability has been patched in version 1.6.0 of the plugin, and site administrators are advised to update immediately.
Introduction to the Vulnerability
A critical backdoor vulnerability has been discovered in the LA-Studio Element Kit for Elementor, a popular WordPress plugin used by more than 20,000 active sites. This security flaw allows attackers to create administrator accounts without any authentication, putting thousands of websites at risk of complete takeover. The vulnerability, tracked as CVE-2026-0920, carries a CVSS score of 9.8, marking it as a critical threat that requires immediate action from site administrators.
The Cause of the Vulnerability
The backdoor was introduced by a former employee who left the company in late December 2025. According to LA-Studio, the developer modified the plugin code shortly before their employment ended, inserting hidden functionality that allows unauthorized administrator account creation. This incident highlights the growing concern around insider threats and the importance of code review processes during employee transitions. The fact that the backdoor was introduced by a former employee underscores the need for companies to have robust security measures in place to prevent such incidents.
Discovery and Patching of the Vulnerability
Security researchers Athiwat Tiprasaharn, Itthidej Aramsri, and Waris Damkham discovered the vulnerability on January 12, 2026, and reported it through the Wordfence Bug Bounty Program. Wordfence analysts identified the flaw within the plugin’s user registration system, specifically in the ajax_register_handle function. The vulnerability was patched quickly, with version 1.6.0 released on January 14, 2026, just two days after the initial report. The vulnerability exists in all versions up to and including 1.5.6.3 of the LA-Studio Element Kit for Elementor plugin.
Exploitation of the Vulnerability
Attackers can exploit this flaw by sending a specially crafted registration request containing the lakit_bkrole parameter. Once successful, they gain full administrative access to the targeted WordPress site, allowing them to upload malicious files, modify content, redirect visitors to harmful websites, or inject spam content. The vulnerability details, including the affected plugin, plugin slug, and affected versions, are crucial for site administrators to understand the scope of the threat and take necessary actions to protect their websites.
The Obfuscated Backdoor Mechanism
The backdoor operates through a carefully hidden modification within the plugin’s registration handling system. When examining the code, Wordfence analysts found that the ajax_register_handle function contained obfuscated logic that checked for the presence of the lakit_bkrole parameter during user registration. If this parameter was detected, the function would trigger additional filters that assigned administrator privileges to the newly created account. The obfuscation included techniques like string manipulation and indirect function calls, making the malicious code blend seamlessly with legitimate plugin functionality.
Conclusion and Recommendations
The discovery of the backdoor vulnerability in the LA-Studio Element Kit for Elementor plugin highlights the importance of robust security measures, including code review processes and employee background checks. Site administrators are advised to update to version 1.6.0 of the plugin immediately to prevent potential attacks. Additionally, companies should prioritize insider threat prevention and have incident response plans in place to minimize the impact of such incidents. By taking proactive measures, website owners can protect their online presence and prevent unauthorized access to their sites.
