Backdoored LA-Studio Element Kit WordPress Plugin Enables Unauthenticated Admin Account Creation
A critical backdoor was identified in the LA-Studio Element Kit for Elementor WordPress plugin (active on 20,000+ sites), enabling unauthenticated attackers to create administrator accounts and take full control of affected websites. The issue is tracked as CVE-2026-0920 with a CVSS 9.8 rating, and exploitation has been reported in the wild. The malicious logic was embedded in the plugin’s registration flow, allowing attackers to elevate privileges during account creation and then perform typical admin-level actions such as uploading malicious files, injecting spam, or redirecting visitors.
Technical reporting attributes the backdoor to sabotage: the vendor stated the malicious code was planted by a former employee, with changes occurring around the time their employment ended. The vulnerable path is the ajax_register_handle() function, where attackers can supply a specific registration parameter, lakit_bkrole, to obtain administrator capability; the code was described as obfuscated to evade detection. CVE documentation characterizes the weakness as improper restriction of user role assignment during registration (mapped to CWE-269) and points to the affected versions up to and including 1.5.6.3, along with upstream code references and the associated Wordfence advisory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Wordfence schedules Free user protection rollout
Wordfence said protection for free-tier users would become available on February 12, 2026, after Premium users had already received coverage. This marked the broader rollout of defensive coverage for sites still running vulnerable plugin versions.
Wordfence reports active exploitation in the wild
Wordfence said attackers were actively exploiting the backdoor and that it blocked 216 attack attempts in a 24-hour period. Public reporting also highlighted the vendor's claim that the issue stemmed from insider sabotage by a former employee.
CVE-2026-0920 is received and documented
The vulnerability was assigned CVE-2026-0920 and the CVE record notes it was received by security@wordfence.com on January 22, 2026. The entry described the flaw as unauthenticated privilege escalation through improper role restriction in ajax_register_handle().
LA-Studio releases version 1.6.0 to remove the backdoor
LA-Studio issued a patch in plugin version 1.6.0 to fix the vulnerability and remove the malicious code. Users were urged to update immediately because affected versions were installed on more than 20,000 WordPress sites.
Wordfence notifies LA-Studio and deploys Premium protection
Wordfence notified the vendor about the backdoor vulnerability and began protecting Premium users against exploitation. The issue was already being treated as critical because it enabled full site takeover through unauthenticated admin creation.
Researcher reports admin-creation backdoor to Wordfence
Researchers discovered the vulnerability in LA-Studio Element Kit for Elementor and reported it through the Wordfence Bug Bounty Program. The flaw affected versions up to and including 1.5.6.3 and allowed unauthenticated administrator account creation via the lakit_bkrole parameter.
Former employee allegedly plants backdoor in plugin code
LA-Studio said a former employee intentionally introduced obfuscated backdoor logic into the Element Kit for Elementor plugin shortly before leaving in late December 2025. The code allowed a hidden registration parameter to assign administrator privileges to a newly created user.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
20,000 WordPress Sites Affected by Backdoor Vulnerability Allowing Malicious Admin User Creation
cybersecuritynews.com
Open sourceSabotage & Exploited in the Wild: Critical Backdoor Found in LA-Studio Element Kit
securityonline.info
Open sourceCVE-2026-0920 - LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Privilege Escalation Vulnerability in King Addons for Elementor Exploited
A critical privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor WordPress plugin has been actively exploited by attackers. The flaw, present in versions 24.12.92 through 51.1.14, allows unauthenticated users to register as administrators by specifying the `administrator` role during the registration process via a crafted request to the `admin-ajax.php` endpoint. This vulnerability, discovered by Peter Thaleikis and patched in version 51.1.35 on September 25, 2025, affects over 10,000 active installations. Wordfence has reported blocking more than 48,400 exploit attempts since the public disclosure, with mass exploitation beginning in early November 2025. Attackers have used several IP addresses, with two being particularly active, to create rogue admin accounts and potentially seize control of vulnerable sites. Successful exploitation enables attackers to upload malicious code, deliver malware, redirect visitors, or inject spam into compromised sites. Security researchers recommend that website owners upgrade to the patched version immediately and check for unauthorized administrator accounts as a sign of compromise. Wordfence has provided a list of offensive IP addresses for administrators to monitor in their logs. The incident highlights the ongoing risk posed by third-party WordPress plugins and the importance of timely patching and monitoring for suspicious activity.
Mar 21, 2026
Critical Privilege Escalation and File Upload Vulnerabilities in King Addons for Elementor
More than 10,000 WordPress sites using the King Addons for Elementor plugin are at risk of total site compromise due to two critical vulnerabilities. The first flaw, an unauthenticated privilege escalation (CVE-2025-8489), allows attackers to register new accounts with administrator privileges by exploiting improper role restrictions in plugin versions 24.12.92 through 51.1.14. The second vulnerability, an unauthenticated arbitrary file upload (CVE-2025-6327), enables attackers to inject malicious files into various directories by abusing an AJAX handler's exposed nonce, further increasing the risk of site takeover. Security researchers from Patchstack and Wordfence have confirmed that both vulnerabilities are remotely exploitable and require no authentication, making them highly attractive targets for threat actors. Site administrators are strongly urged to update to patched versions of the plugin, which now include a role allowlist, improved input sanitization for account creation, and stricter file type validation in the upload handler. Immediate patching is recommended to prevent exploitation and potential full compromise of affected WordPress sites.
Mar 21, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026